Information record infrastructure, system and method

ABSTRACT

A method for controlling access to a medical record of a patient hosted by at least one medical record repository, comprising a plurality of sub-records, each sub-record having an associated different patient-controlled access control criteria, comprising: receiving, by an intermediary, a request for a medical record from a requester, said request comprising a medical record identifier, a requester identifier, requester authentication information, and patient-provided access control authorization; automatically processing, by the intermediary, the request for the medical record to authenticate the requester and determine sufficiency of the patient-provided access control authorization to meet the patient-controlled access control criteria for each respective sub-record encompassed by the request; and selectively communicating, from the intermediary to the at least one medical record repository, an identification of each sub-record for which access control criteria are determined to be sufficient for access by the requestor. An electronic payment authorization associated with the request may be generated, for compensation of at least one of the intermediary and a medical record repository.

RELATED APPLICATIONS

The present application claims benefit or priority from U.S. ProvisionalPatent Application No. 60/216,199, filed Jul. 6, 2000, and U.S.Provisional Patent Application No. 60/223,246, filed Aug. 4, 2000, andis a continuation of U.S. application Ser. No. 09/899,787, filed Jul. 5,2001, each of which is expressly incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates to the field of information records,repositories, systems and methods for the creation, use, processing,maintenance, transmission, querying and protection thereof.

BACKGROUND OF THE INVENTION

Computerized records and database are employed in many industries.Often, the information is made available subject to usage rightslimitations. For example, copyright information is generally controlledby the copyright owner, such that copying is controlled or prohibitedafter publication. In a digital environment, each transmission of thecontent results in a form of copying, such that a copyright owner cannotimpose a strict prohibition on all forms of copying while promotingdigital use of the content. Thus, the publisher or content owner seeksto apply rules that provide appropriate compensation.

In other instances, the issue is not content, but rather security andprivacy. In these cases, the rules limit access based on anauthorization, which may be express or implied. Medical and legalrecords are examples of this form of content limitation.

Conceptually, implementation of an economic permission and securitypermission based access control systems are similar. In fact, securitybased access control systems often include logs and audit trails, whichare similar to the accounting databases associated with economicpermission systems. Thus, many issues raised by these systems aresimilar.

Medical Records

The art of medical record keeping has developed over centuries ofmedical practice to provide an accurate account of a patient's medicalhistory. Record keeping in medical practice was developed to helpphysicians, and other healthcare providers, track and link individual“occurrences” between a patient and a healthcare provider. Eachphysician/patient encounter may result in a record including notes onthe purpose of the visit, the results of physician's examination of thepatient, and a record of any drugs prescribed by the physician. If, forexample, the patient were referred to another clinic for additionaltesting, such as a blood analysis, this would form a separate medicalencounter, which would also generate information for the medical record.

The accuracy of the medical record is of the utmost importance. Themedical record describes the patient's medical history, which may be ofcritical importance in providing future healthcare to the patient.Further, the medical record may also be used as a legal document, as aresearch tool and to provide information to insurance companies or thirdparty reimbursors.

Over the years, paper medical records have evolved from individualpractitioners' informal journals to the current multi-author,medical/legal documents. These paper records serve as the informationsystem on which modern medical practice is based. While the paper-basedmedical record system has functioned well over many decades of use, ithas several shortcomings. First, while a paper-based record system canadequately support individual patient-physician encounters, it fails toserve as a source of pooled data for large-scale analysis. While themedical data in the paper-based records is substantial, the ability toadequately index, store and retrieve information from the paper-basedmechanisms prevents efficient analysis of the data. Thus, paper medicalrecords could be a rich source of information for generating newknowledge about patient care, if only their data could be accessed on alarge scale. Second, each portion of the paper-based record is generatedand kept at the site of the medical service. Hence, the total record maybe fragmented among many sites. Consequently, access by off-sitephysicians is less than optimal. The inability to access a completemedical record in a short period of time presents problems both forindividual care and group care of patients. Because of the shortcomingsof the paper-based record, the electronic medical record (or “EMR”) hasbeen investigated for a number of years. An electronic medical recordmay be stored and retrieved electronically through a computer.

Clinical information as expressed by health care personnel is typicallyprovided in natural language, e.g., in English. While phrases in naturallanguage are convenient in interpersonal communication, the sametypically does not apply to computerized applications such as automatedquality assurance, clinical decision support, patient management,outcome studies, administration, research and literature searching. Evenwhere clinical data is available in electronic or computer-readableform, the data may remain inaccessible to computerized systems becauseof its form as narrative text. Thus, while medical records may bemaintained in electronic form, significant efforts are necessary inorder to make the information available for automated analysis.

For computerized applications, methods and systems have been developedfor producing standardized, encoded representations of clinicalinformation from natural-language sources such as findings fromexaminations, medical history, progress notes, and discharge summaries.Special-purpose techniques have been used in different domains, e.g.,general and specialized pathology, radiology, and surgery dischargereports.

Medical information poses significant challenges to knowledge managementsystems. Medical information presently includes multimedia file types,including numeric data, text, scanned text images, scanned graphicimages, sound (e.g., phonocardiography and dictation), high resolutionimages (radiology) and video (ultrasonic imaging and fluoroscopy). Themedical records for an individual may, over time, grow to multiplemegabytes or even gigabytes of data, and advanced medical techniquespromise to increase the available data. These records come from a numberof different medical service providers, and may be stored ingeographically disparate locations. Often, a new medical serviceprovider will seek to review all appropriate previous medical recordsfor a patient. Further, in third party reimbursement situations, thethird party indemnity will seek to review records in connection withbilled services.

On the other hand, medical records include data that is intenselypersonal, including personal data such as sexual habits, drug abuse,psychological disorders, family histories, genetics, terminal diseases,or other injuries, and the like. Thus, while there are legitimatereasons for transmitting medical information files, such transmissionmust be limited to appropriate circumstances and to authorizedrecipients.

In today's practice environment, the inability of healthcare providers,administrators, insurers, researchers and governmental agencies torapidly access and/or extract information from paper-based medicalrecords represents a serious limitation with significant scientific andeconomic ramifications. Electronic medical record systems are expectedto improve healthcare delivery by enhancing case managementcapabilities, and by leading to clinical practice research databasesthat provide valuable information on patient outcomes and clinicaleffectiveness.

While there have been attempts to develop computer databasearchitectures capable of storing and retrieving medical recordinformation which reconcile physicians' desires for maintaining a formatof unstructured medical information with database requirements forhighly structured data storage, these systems fail to provide aninfrastructure for the efficient transmission, use and securityprotection of the data.

Some approaches have been based on the development of categorical datastructures and descriptive vocabularies that require translation ofmedical information into highly structured abstractions. This approachis problematic due to the enormous size of the overall translation task,the inability to accurately code all of the information contained withinthe free-text portion of the record, and the fact that normalizing dataintroduces additional abstraction, which may devalue its clinical worth.

Other approaches provide a full text database with a metadata headerabstracting portions of the data record. However, searching thismetadata may be difficult, and the existence of this metadata outside ofthe record itself may impair patient privacy. On the other hand, failureto index the data makes searching for a record difficult.

There has been a longstanding trend to computerize various forms ofinformation, in order to make this information more accessible, tofacilitate transmission, and to facilitate storage thereof. However, inthe case of medical information, this has resulting in significantconcerns for the privacy and security of the information. Indeed, whilethe information technically cannot be disclosed without the consent ofthe patient, since at least the time of Hippocrates, the medicalinstitutions that hold this information guard it jealously. Thus, it maybe difficult to obtain collaboration between medical institutions in theongoing treatment of a patient. While there are important legitimateuses for medical data, there is also a substantial possibility for abuseof the data and the associated trust relationship between patient andmedical care provider represented therein. In fact, recent federallegislative and regulatory initiatives (US Department of Human HealthServices) seek to regulate the creation, use, transmission andmaintenance of medical information databases, and indeed may imposecriminal sanctions.

The regulatory activities define mandates without defining implementingtechnologies nor providing funding for the burden imposed on federal,state, local and private entities.

Typically, in a hospital medical information system, informationrelating to patients in a database is generated and used by users havinga variety of roles, including doctors of various specialties, nurses,therapists of various types, paraprofessionals, clinical laboratories,and bedside devices (which may automatically generate or receive patientinformation). In addition, medical information is used, but typicallynot generated by, pharmacies, administrators, lawyers, insurers orpayors, and other parties.

Medical databases present a particular problem that has been difficultto address. On one hand, database architects seek to provide indexing ofkey fields of the database, allowing efficient retrieval. On the otherhand, such indexes necessarily include information derived from therecord. Thus, the existence of an index poses a security and privacybreach risk. One way to address this issue, as proposed in U.S. Pat. No.5,832,450, is to avoid indexing, but rather to provide informationcontained only in the database record. While this preserves privacy, itmakes locating a database record other than by patient identifier, orits accession identifier, very difficult.

Another method used to address this problem is the maintenance ofanonymous medical records in addition to patient-specific records. Thus,a search for a record other than by patient identifier may be performed,but typically not for the treatment of the patient. Such techniques areuseful in academic exercises. Often, the anonymization process isimperfect, or very costly.

One scheme for increasing the portability of medical records is toprovide personal data storage devices, for example in credit card formatoptical storage medium. These devices, however, present a security risk,since it cannot be presumed that the patient will be able to provideconsent to the use of the information when required; thus, accesscontrols must necessarily be compromised. Further, the informationcarrier can be lost or destroyed.

Because of the many types of caregivers, the idea of role-based accesshas arisen; basically, medical professionals of different types willrequire access to various subsets of the medical record. For example,typically the primary care physician and certain consults will requirefull access.

Traditionally, medical records maintenance and upkeep have imposed asignificant cost and burden. While enterprises have evolved foroutsourcing of certain functions, these enterprises have notparticularly represented the interests of the patient, and rather serveas agents for the medical record custodian.

One method for ensuring data security is encryption. Cryptographicsystems employ secret keys to protect information. Key managementsystems for cryptographic keys are well known. One such system, byEntrust Technologies Limited is currently commercially available.

Media Content

One particular area of digital rights management involves the use anddistribution of digital media, e.g., consumer entertainment in the formof audio, video, multimedia, and/or text. Computer software may beconsidered another form of media. In these systems, one significantpurpose for digital distribution is to reduce the costs and increaseconvenience involved in communicating the information to the user. This,in turn, tends to reduce the actual or perceived cost of “consumption”of the media to the user. However, in a digital network, the content isreadily replicated, and thus the owner risks loss of control andcompensation. In order to retain control, the media is typicallydistributed in encrypted form. Alternatively, the media itself isunencrypted, but the available hardware for using the digital mediarequires permission for operation, in effect blocking the decoding to ausable form.

The existing systems seek to create an obligation by the recipient onbehalf of the owner, to abide by the restrictions imposed. Thisobligation can be voluntarily or mandatory.

While on-line systems for browsing media may maintain privacy andconfidentiality, on-line commercial transactions often waive privacy andconfidentiality, by requiring disclosure of identity, electronic billinginformation, bill address, shipping address, and the association withthe item being purchased. Further, databases are maintained which maythen impair future privacy by associating the user's IP address orproviding a browser cookie, which identify the user or associate with aprior detailed database record.

Thus, electronic commerce has the ability to eliminate the anonymity ofcash. This is especially troublesome with respect to media contentpreferences and consumption, since these preferences and consumptionwere heretofore considered private.

Existing systems do not create a trust infrastructure, wherein anindependent third party represents and serves as agent for the contentowner, implementing a set of restrictive rules for use of the content,and interacting and servicing customers. In fact, these systems adopt amore traditional retail model, with independent resellers, or employrelated entities.

In fact, the use of an intermediary, such as an Internet proxy server orpayment service can protect user privacy. However, the Internet proxycannot anonymize a direct electronic purchase transaction. Thus,existing intermediaries do not act in a representative capacity for thecontent owner, and do not integrate content management functions.

Personal Demographic Information

As stated above, many different electronic commerce systems have accessto, and indeed maintain profiles and other information on customers.Even non-electronic retailers have adopted techniques to provide thesame types of information, for example, supermarkets that provide “clubcards”, and otherwise may track credit/debit card purchases.

Retailers seek to gain valuable insight into their business and consumerhabits and responsiveness to promotions by profiling consumers, andforming personal profiles and/or aggregate profiles from thisinformation. Since the information often includes purchase information,the profiles are personally identifiable. Further, user profiling mustbe associated with the same user on an ongoing basis.

Intermediaries

In fact, the use of an intermediary, such as an Internet proxy server orpayment service, can protect user privacy. However, the Internet proxycannot anonymize a direct electronic purchase transaction, and use of anintermediary service results in a loss of rights with respect to creditcard transactions.

Thus, existing intermediaries do not act in a representative capacityfor the content owner, and do not integrate content managementfunctions.

Computer Security

Computer security is currently an important issue. With theproliferation of computers and computer networks into all aspects ofbusiness and daily life—financial, medical, education, government, andcommunications—the concern over secure file access is growing. Usingpasswords is a common method of providing security. Password protectionand/or personal identification numbers are employed for computer networksecurity, automatic teller machines, telephone banking, calling cards,telephone answering services, houses, and safes. These systems generallyrequire the knowledge of an entry code that has been selected by a useror has been preset. Preset codes are sometimes forgotten, as users haveno reliable method of remembering them. Writing down the codes andstoring them in close proximity to an access control device (i.e. thecombination lock) results in a secure access control system with a veryinsecure code. Alternatively, the nuisance of trying several codevariations renders the access control system more of a problem than asolution.

Password systems are known to suffer from other disadvantages. Usually,a user specifies passwords. Most users, being unsophisticated users ofsecurity systems, choose passwords that are relatively insecure, forexample words that are found in a dictionary or within a personalwallet. As such, many systems protected by passwords are easily accessedthrough a simple (possibly automated) trial and error process.

Biometric authentication schemes, for example fingerprint, voice, iris,retina, hand, face, or other personal characteristics, may be used toidentify a user. These either do not require a password or access code,or are used in conjunction with such passwords or codes, and may providesubstantial system security. A biometric identification system acceptsunique biometric information from a user and identifies the user bymatching the information against information belonging to registeredusers of the system.

Though biometric authentication is a secure means of identifying a user,it is difficult to derive encryption keys from the information. In thefirst place, the information is different each time it is presented to abiometric information input device. Secondly, the biometric informationis retrievable through, for example, extraction of latent fingerprints,and is therefore subject to “spoofing”. When an encryption key isderived directly from biometric information, the extraction of latentbiometric information or the interception of biometric information mayallow others to derive the encryption key. Thirdly, since some biometricinformation is substantially unchanging, it is not well suited toencryption because once an encryption key or biometric authenticationsystem is broken (i.e., knowledge exists to circumvent the securityprovided by the scheme), and its use should be discontinued; however,changing the biometric information on demand is a difficult procedure.In order to overcome this problem, key management systems exist whereina plurality of keys are stored in a secure key database. A userauthentication, such as a biometric authentication, is used to accessthe secure key database. Often the database is encrypted with a key thatis accessible through user authentication.

Key management systems are well known. One such system, by EntrustTechnologies Limited is currently commercially available. Unfortunately,current key management systems are designed for installation on a singlecomputer and for portability between computers having a sameconfiguration. As such, implementation of enhanced security throughinstallation of biometric input devices is costly and greatly limitsportability of key databases. Alternatively, password based protectionof key databases is undesirable because of the inherent insecure natureof most user selected passwords. For example, when using Entrust®software to protect a key database, the database is portable on a smartcard or on a floppy disk. The portable key database is a duplicate ofthe existing key database. User authentication for the portable keydatabase is identical to that of the original key database. Theimplications of this are insignificant when password user authenticationis employed; however, when biometric user authentication such as retinalscanning or fingerprint identification are used, the appropriatebiometric identification system is required at each location wherein theportable key database is used. Unfortunately, this is often not thecase. In order to avoid this problem, organizations employ passwordaccess throughout and thereby reduce overall security to facilitateportability. Alternatively, members of an organization are not permittedto travel with portable key databases and thereby have reduced mobilityand are capable of performing fewer tasks while outside the office. Thiseffectively counters many of the benefits available in the informationage. Key databases, once created, should not decrypted, except duringemergencies. This prevents keys from becoming vulnerable by existing intheir decrypted state.

PRIOR ART

A number of fields of endeavor are relevant to the present invention,and exemplary prior art, incorporated herein by reference, are disclosedbelow. The references disclosed provide a skilled artisan withembodiments of elements of the present invention, and the teachingstherein may be combined and subcombined in various manners in accordancewith the present teachings. The topical headings are advisory only, andare not intended to limit the applicability of any reference.

Medical Record Systems

-   John D. Halamka, Peter Szolovits, David Rind, and Charles Safran, “A    WWW Implementation of National Recommendations for Protecting    Electronic Health Information”, J. Am. Med. Inform. Assoc. 1997 4:    458-464 (expressly incorporated herein by reference).-   Reid Cushman, “Serious Technology Assessment for Health Care    Information Technology”, J. Am. Med. Inform. Assoc. 1997 4: 259-265    (expressly incorporated herein by reference).-   Suzy A. Buckovich, Helga E. Rippen, and Michael J. Rozen, “Driving    Toward Guiding Principles: A Goal for Privacy, Confidentiality, and    Security of Health Information”, J. Am. Med. Inform. Assoc. 1999 6:    122-133 (expressly incorporated herein by reference).-   Paul C. Tang, “An AMIA Perspective on Proposed Regulation of Privacy    of Health Information”, J. Am. Med. Inform. Assoc. 2000 7: 205-207    (expressly incorporated herein by reference).-   Clement J. McDonald, “The Barriers to Electronic Medical Record    Systems and How to Overcome Them”, J. Am. Med. Inform. Assoc. 1997    4: 213-221 (expressly incorporated herein by reference).

U.S. Pat. No. 5,361,202 (Doue, Nov. 1, 1994, Computer display system andmethod for facilitating access to patient data records in a medicalinformation system), expressly incorporated herein by reference, relatesto a system and method to improve access to patient information inmedical information system for a health care facility. A computerdisplay system, and a method for such a display system, includes adisplayed representation of the duration of the stay of an identifiedpatient in the health care facility. In such a medical informationsystem patient data is stored in data files in a database, wherein eachdata file in the database is comprised of a plurality of data records. Auser positions a cursor on the displayed representation using an inputunit and signals the computer of a desired date and time. The computer,in response to the signal determines the desired date and time from theposition of the cursor and accesses a data record or records from thedata file based on the desired date and time. The accessed data recordor records may then be displayed. The data records may be time-stamped.In that case, the duration of the patient's stay is the time periodbetween the earliest and latest time stamps.

U.S. Pat. No. 5,644,778 (Burks, et al., Jul. 1, 1997, Medicaltransaction system), expressly incorporated herein by reference, relatesto a medical transaction system, which is capable of permitting aplurality of healthcare providers to communicate with a plurality ofpayors and financial institutions. The healthcare providers, payors, andfinancial institutions do not have to communicate in the same datamessage formats nor in the same communication protocols. Such a systemfacilitates not only the processing of medical claims submitted by thehealthcare providers to the payors, but also permits the transfer ofmedical data records between healthcare providers. The system supportsthe processing of medical claims without requiring a centralizeddatabase or imposing a uniform claim format on the healthcare providersand payors. The preferred embodiment further includes a financialtransactor that uses remittance information from the payors to generatethe electronics funds transfer messages to credit and debit accounts.Additionally, the system supports a medical line of credit at financialinstitutions that may be used to pay portions of medical claims notcovered by payors.

U.S. Pat. No. 5,832,450 (Myers, et al. Nov. 3, 1998), expresslyincorporated herein by reference, provides an electronic medical recordsystem that stores data about individual patient encounters arising froma content generator in free-form text. A header for each encounter-basedrecord also uses text to store context information for that record. Eachheader comprises a plurality of attributes embodied as a fielddescriptor and a value, bound together as a text object. By binding thefield descriptors to the values, each encounter record is complete initself, without reference to database keys, thereby providing aself-validating record storage system. In this system, the security ofthe medical data is maintained, because the attribute values and theattribute descriptors are bound together as a text object, and becausethe values are not location dependent, the data is self-validating.Thus, templates, keys, or other lookup means employed by relationaldatabase are not required to find or interpret the data. Additionalattributes may be added without a restructuring process, reducing asource of errors into the system. Access of the content and contextinformation in the EMR system by external systems is possible withoutsecondary tables or keys.

U.S. Pat. No. 5,546,580 (Seliger, et al., Aug. 13, 1996), expresslyincorporated herein by reference, relates to a method and apparatus forcoordinating concurrent updates to a medical information database, fromdifferent workstations and medical instruments. A first data value for arecord is entered at a first workstation and a second data value for therecord is entered at a second workstation without locking eitherworkstation during data entry. The new data values are stored in themedical database after completion of data entry at each workstation, anda correction history is recorded. The correction history containsinformation as to the update of the record with the first data value andthe second data value. The record is updated with the first and seconddata values without aborting user activities or notifying a user that anupdate conflict has occurred. After the new data values are stored inthe medical database, all workstations containing a copy of the recordare updated to reflect the current state of the record.

U.S. Pat. No. 5,832,488 (Eberhardt, Nov. 3, 1998), expresslyincorporated herein by reference, relates to a computer system andmethod for storing medical histories using a smartcard to store data. Acomputer system and method is provided for programming it for storage ofindividual medical histories on a storage device, preferably about thesize of a credit card, for adding new medical data about the individualto the device and for communicating with other computers to retrievelarge data records about the individual; and for enabling a secondcomputer to collate and sort data relating to selected medical fieldsfrom the data of such individual and from the data about otherindividuals transferred to the second computer.

U.S. Pat. No. 5,867,821 (Ballantyne, et al., Feb. 2, 1999), expresslyincorporated herein by reference, relates to a method and apparatus forelectronically accessing and distributing personal health careinformation and services in hospitals and homes, for the distributionand administration of medical services, entertainment services,electronic medical records, educational information, etc. to a patient'sindividual electronic patient care station (PCS) interconnected to amaster library (ML) which stores data in digital compressed format,through a local medical information network. The patient/medicalpersonnel interact with this medical information network through theunique PCS and receive the requested service or data from the masterlibrary. The data is then displayed either on the associated televisionset or video monitor or through wireless/IR communications to aperipheral personal data assistant (pen based computer technology) Thedata for text, audio, and video information is all compressed digitallyto facilitate distribution and only decompressed at the final stagebefore viewing/interaction.

U.S. Pat. No. 5,899,998 (McGauley, et al., May 4, 1999), expresslyincorporated herein by reference, relates to a method and system formaintaining and updating computerized medical records. A distributeddatabase architecture stores medical information in a self-updatingsystem that employs point-of-service stations disposed at convenientmedical service locations. Each patient carries a portable data carriersuch as a smart card that contains the patient's complete medicalhistory. Interaction between the portable data carriers and thepoint-of-service stations effects a virtual communication link that tiesthe distributed databases together without the need for online or livedata connections. The point-of-service stations are also interconnectedover a communications network through a switching station that likewisedoes not rely on online, live communication. The database system uses anobject-oriented update object to distribute data that has been generatedwhen a portable data carrier is not physically present and toautomatically distribute data without the necessity of accessing amasterfile.

U.S. Pat. No. 5,903,889 (de la Huerga, et al., May 11, 1999), expresslyincorporated herein by reference, relates to a system and method fortranslating, collecting and archiving patient records. The systemretrieves, modifies, and collects data records having a plurality offormats and distributed on a plurality of databases on a computernetwork. The system includes means for detecting various types,relationships, and classifications of data records and modifying themaccordingly to support interactive, hypertext-linked display of, andorganized access to, the data records. The system further includes meansto store a related set of data records on a mass storage device such asa CD-ROM to provide non-network access to the data records. Adapted foruse in a hospital environment, the system facilitates access by careproviders, administrators, and insurance company agents to a patient'scumulative, and possibly extensive, record.

U.S. Pat. No. 5,911,132 (Sloane, Jun. 8, 1999, Method using centralepidemiological database), expressly incorporated herein by reference,relates to a system in which patient disease is diagnosed and/or treatedusing electronic data communications between not only the physician andhis/her patient, but via the use of electronic data communicationsbetween the physician and one or more entities which can contribute tothe patient's diagnosis and/or treatment, such electronic datacommunications including information that was previously receivedelectronically from the patient and/or was developed as a consequence ofan electronic messaging interaction that occurred between the patientand the physician. Such other entities illustratively include a medicaldiagnostic center and an epidemiological database computer facility thatcollects epidemiological transaction records from physicians, hospitalsand other institutions that have medical facilities, such as schools andlarge businesses. The epidemiological transaction record illustrativelyincludes various medical, personal and epidemiological data relevant tothe patient and his/her present symptoms, including test results, aswell as the diagnosis, if one has already been arrived at by the e-doc.The epidemiological database computer facility can correlate thisinformation with the other epidemiological transaction records that itreceives over time in order to help physicians make and/or confirmdiagnoses as well as to identify and track epidemiological events and/ortrends.

U.S. Pat. No. 5,911,687 (Sato, et al., Jun. 15, 1999, Wide area medicalinformation system and method using thereof), expressly incorporatedherein by reference, relates to a wide area medical information systemand a method using thereof comprising a wide area network, a pluralityof doctor terminals and patient terminals connected to the wide areanetwork, and a management server including at least an electronic caserecord file storing clinic information for patient's and a doctordatabase storing data of a plurality of doctors, wherein the systemsearches the doctor database on the basis of patient informationincluding the condition of the disease of a certain patient input fromthe patient terminal, selects the corresponding doctor, requests thatthe selected doctor take charge of examination and treatment for theaforementioned certain patient, registers the correspondence between theapproved doctor and the aforementioned certain patient in the electroniccase record file, gives the right to access the clinic information ofthe patient to the approved doctor, and executes the online examinationand treatment via the doctor terminal and patient terminal, so that apatient existing in a wide area can receive remote examination andtreatment services of high satisfaction and medical treatment relatedservices other than examination and treatment without depending on thelocation.

U.S. Pat. No. 5,915,240 (Karpf, Jun. 22, 1999), expressly incorporatedherein by reference, relates to a computer system and method foraccessing medical information over a network. The system partitions thefunctioning of the system between a client and server program optimizedin a manner to assure synchronization of the master medical informationdatabases on the servers with the local medical information database onthe client, minimize the use of network resources, and allow new typesof medical information to be easily included in the system. A serversite on the network maintains a description of its medical information,as well as the most current and up-to-date medical referenceinformation. The client program maintains a local database that isautomatically synchronized over the network with revisions and newmedical information, and provides a user with an interface to fullyreview the information in the database. The system also uses acontext-sensitive call facility so that users of the Medical LookupReference program can easily get further expert assistance about themedical topic. The call feature uses the network connection to establisha conversation between the user and a person at a help site specified bythe type of medical information they are currently referencing. Once aconnection is established, the system allows the user to engage in aconversation with the person at the help site, and a record of theconversation can be saved in a database for auditing purposes.

U.S. Pat. No. 5,924,074 (Evans, Jul. 13, 1999), expressly incorporatedherein by reference, relates to an electronic medical records system.The system captures patient data, such as patient complaints, laborders, medications, diagnoses, and procedures, at its source at thetime of entry using a graphical user interface having touch screens.Using pen-based portable computers with wireless connections to acomputer network, authorized healthcare providers can access, analyze,update and electronically annotate patient data even while otherproviders are using the same patient record. The system likewise permitsinstant, sophisticated analysis of patient data to identifyrelationships among the data considered. Moreover, the system includesthe capability to access reference databases for consultation regardingallergies, medication interactions and practice guidelines. The systemalso includes the capability to incorporate legacy data, such as paperfiles and mainframe data, for a patient.

U.S. Pat. No. 5,933,809 (Hunt, et al., Aug. 3, 1999), expresslyincorporated herein by reference, relates to computer software forprocessing medical billing record information. Hospital or individualdoctor Medicare billing records are processed using computer software.The software contains at least one set of instructions for receiving,converting, sorting and storing input information from the pre-existingmedical billing records into a form suitable for processing. Thesoftware contains at least one set of instructions for processing theinput medical billing record information, preferably to identifypotential Medicare “72 hour billing rule” violations. This processing ispreferably performed by comparing each input medical billing recordcontaining dates of medical inpatient admission and discharge to eachinput medical billing record containing a date of medical outpatientservice. The inpatient and outpatient billing records are first comparedto determine if they contain matching patient identification codes toidentify all the records originating from the same patient. If matchingpatient identification codes are found the inpatient and outpatientbilling records are further compared to determine if the date ofoutpatient service fell within a preselected time period, preferably 72hours, prior to the date of inpatient admission. If so, the matchinginpatient and outpatient billing records are distinguished and storedseparately for further processing. If not, the matching inpatient andoutpatient billing records are compared to determine if the date ofoutpatient service fell between the inpatient admission and dischargedates. If this is the case, the matching inpatient and outpatientbilling records are again distinguished and stored separately forfurther processing. If not, the program proceeds to the next set ofbilling records to repeat the sequence.

U.S. Pat. No. 5,974,389 (Clark, et al., Oct. 26, 1999, Medical recordmanagement system and process with improved workflow features) relatesto a patient medical record system includes a number of caregivercomputers, and a patient record database with patient data coupled tothe caregiver computers selectively providing access to the patient datafrom one of the caregiver computers responsive to a predetermined set ofaccess rules. The predetermined set of rules includes a rule that accessto a predetermined portion of the patient data by a first caregiver mustbe terminated before access to the same predetermined portion by asecond caregiver is allowed.

U.S. Pat. No. 5,991,758 (Ellard, Nov. 23, 1999), expressly incorporatedherein by reference, relates to a system and method for indexinginformation about entities from different information sources. A systemand method for indexing a data record from an information source into adatabase, the database containing a plurality of data records, isprovided comprising receiving a data record from an information source,the received data record having a predetermined number of fieldscontaining information about a particular entity, standardizing andvalidating the data in the received data record. A system and method isalso provided for retrieving records that refer to an entitycharacterized by a specific set of data values by comparing apredetermined number of fields within the received data record with apredetermined number of fields within the data records already in thedatabase, selecting data records already in the database as candidateshaving data within some of the predetermined fields that is identical tothe data in the fields of the received data record, and scoring thecandidates to determine data records having information about the sameentity.

U.S. Pat. No. 5,995,943 (Bull, et al., Nov. 30, 1999), expresslyincorporated herein by reference, relates to an information aggregationand synthesis system. An information aggregation and synthesis systemand process, which provides aggregation and packaging of structured orunstructured information from disparate sources such as those availableon a network such as the Internet. A user operates a networkcompatible/addressable interface device. The network interface devicecommunicates with local datastores or network accessible datastores viaan addressing scheme such as Uniform Resource Locator addresses (URLs)utilized by the Internet. Data passing between the network interfacedevice and the datastores is accessed, polled, and retrieved through anintermediary gateway system. Such aggregated information is thensynthesized, customized, personalized and localized to meet theinformation resource requests specified by the user via the networkinterface device.

U.S. Pat. No. 6,012,035 (Freeman, Jr., et al., Jan. 4, 2000), expresslyincorporated herein by reference, relates to a system and method forsupporting delivery of health care. Effectuation of a health careprovision agency cooperative function is established through acommunication network linking all the various entities of thecooperative. The entities include the third party payor members, thehealth providing individuals, clinics, or the like, along with secondaryproviders including pharmacies and laboratories, health care facilitiessuch as hospitals, and the several entities associated with managementof the cooperative and appropriate funds transfer functions. Acoordinating interface system maintains data storage of the necessaryinformation, and manages the entity intercommunications in accordancewith the basic structure of the active and eligible elements of theagency cooperative.

U.S. Pat. No. 6,035,276 (Newman, et al., Mar. 7, 2000), expresslyincorporated herein by reference, relates to a system and method forselectively generating provider application forms required to besubmitted to health care provider organizations by physicians andrelated health care professionals. Physician credentialing profilescontaining physician credentialing information are stored into a systemdatabase together with a plurality of different provider applicationformats associated with particular application forms which are completedand selected data extracted from the common information contained in thestored physician credentialing profiles. The method automatically inputsa subset of physician credentialing information required by a particularselected provider application format into the provider application formassociated with that format and generates the particular providerapplication form.

U.S. Pat. No. 6,055,494 (Friedman, Apr. 25, 2000), expresslyincorporated herein by reference, relates to a system and method formedical language extraction and encoding. In computerized processing ofnatural-language medical/clinical data including phrase parsing andregularizing, parameters are referred to whose value can be specified bythe user. Thus, a computerized system can be provided with versatility,for the processing of data originating in diverse domains, for example.Further to a parser and a regularizer, the system includes apreprocessor, output filters, and an encoding mechanism.

U.S. Pat. No. 6,055,506 (Frasca, Jr., Apr. 25, 2000) expresslyincorporated herein by reference, relates to an outpatient care datasystem dedicated to the transmission, storage and retrieval ofoutpatient data relating to care of outpatients is provided with aregional data system located at a regional location, a plurality ofmetropolitan area data systems operatively connected to the regionaldata system, each of the metropolitan area data systems being located ata different metropolitan location. Each metropolitan area data systemmay be provided with an electronic nursing station located within ahospital and first and second types of outpatient systems operativelycoupled to the electronic nursing station on a real-time basis. Thefirst type of outpatient system is situated at a first non-hospitallocation remote from the hospital and includes a medical deviceassociated with an outpatient present at the first non-hospitallocation, and the second type of outpatient system is situated at asecond non-hospital location remote from the hospital and includes amedical device associated with an outpatient present at the secondnon-hospital location.

U.S. Pat. No. 6,076,066 (DiRienzo, et al., Jun. 13, 2000), expresslyincorporated herein by reference, relates to an attachment integratedclaims (AIC) system formed by a combination of first, second and thirdstorage media. The first storage medium stores computer readableinstructions for permitting a first computer system to receive textualdata as field data, where each of the field data is displayed on apredetermined portion of a first screen of the first computer system, toassemble the field data and a corresponding digitized image into a firstfile having an integrated file format and to transmit the first file toa second computer system via a communications channel. The secondstorage medium stores computer readable instructions permitting thesecond computer system to receive the first file via the communicationschannel, to display the corresponding digitized attachment on a secondscreen of the second computer system, and to transfer the field data toa third computer operatively connected to the second computer. Inaddition, the third storage medium stores computer readable instructionspermitting the third computer system to receive the field data from thesecond computer, to display the field data on a third screen and togenerate a second file including portions of the field data extractedfrom the first file. In other words, the AIC system permits transmissionof a customizable claim form and integrated attachment to an insurancecarrier via a non-clearinghouse communications channel. An AIC systemincluding several computers connected via a communications channel, anelectronic file, and an operating method therefore are also described.In an exemplary case, the first file follows a predetermined graphicimage interchange file format and the field data is incorporated intocomment blocks associated with the predetermined graphic imageinterchange file format.

U.S. Pat. No. 6,076,166 (Moshfeghi, et al., Jun. 13, 2000), expresslyincorporated herein by reference, relates to a system and method forpersonalizing hospital intranet web sites. The server includes a layerfor dynamically generating web pages and other data objects usingscripts, such as graphic, audio and video files, in dependence on storedinformation indicating the user's needs and preferences, including thosepresumed from stored information as to the user's function, job, orpurpose for being at the hospital, and logged usage profiles, the levelof the user's access privileges to confidential patient information, andthe computer and physical environments of the user. Notably, the contentis generated in dependence on the display resolution and lowestbandwidth link between the server and browser to limit the waiting timefor downloads as well as the server load.

See also, U.S. Pat. No. 5,319,543 (Wilhelm, Jun. 7, 1994, Workflowserver for medical records imaging and tracking system); U.S. Pat. No.5,465,082 (Chaco, Nov. 7, 1995, Apparatus for automating routinecommunication in a facility); U.S. Pat. No. 5,508,912 (Schneiderman,Apr. 16, 1996, Clinical database of classified out-patients for trackingprimary care outcome); U.S. Pat. No. 5,546,580 (Seliger, et al., Aug.13, 1996, Method and apparatus for coordinating concurrent updates to amedical information database); U.S. Pat. No. 5,592,945 (Fiedler, Jan.14, 1997, Real-time event charting in an electronic flowsheet); U.S.Pat. No. 5,619,991 (Sloane, Apr. 15, 1997, Delivery of medical servicesusing electronic data communications); U.S. Pat. No. 5,664,109 (Johnson,et al., Sep. 2, 1997, Method for extracting pre-defined data items frommedical service records generated by health care providers); U.S. Pat.No. 5,772,585 (Lavin, et al., Jun. 30, 1998, System and method formanaging patient medical records); U.S. Pat. No. 5,778,882 (Raymond, etal., Jul. 14, 1998, Health monitoring system); U.S. Pat. No. 5,845,253(Rensimer, et al., Dec. 1, 1998, System and method for recordingpatient-history data about on-going physician care procedures), each ofwhich is expressly incorporated herein by reference.

Memory Cards

U.S. Pat. No. 6,021,393 (Honda, et al., Feb. 1, 2000), expresslyincorporated herein by reference, relates to a medical informationmanagement system. As a portable memory card carried by a patient tostore the patient's personal medical information, a hybrid-type memorycard is used which includes an optical information recording area, anintegrated circuit memory area and a magnetic information recordingarea. A read/write drive for the memory card includes an optical head, acarrier mechanism for loading the memory card on a carrier table andmoving the loaded memory card relative to the optical head, and acoupler section for coupling electronic information to be read andwritten from and to the integrated circuit memory area of the memorycard, so that reading and writing of optical information from and to theoptical information recording area can be conducted simultaneously withreading and writing of the electronic information from and to theintegrated circuit memory area.

U.S. Pat. No. 6,031,910 (Deindl, et al., Feb. 29, 2000), expresslyincorporated herein by reference, relates to a method and system for thesecure transmission and storage of protectable information, such aspatient information, by means of a patient card. The data stored on thepatient card are protected by cryptographic methods. The data isdecrypted only with the same patient card if a doctor is authorized andthe patient has given his agreement. All information that the patientcard needs in order to decide whether the doctor is authorized, and thekey for protecting the control data and the random key are held on thechip. The patient data can be freely transmitted to any storage medium.The chip controls both the access to the data and the encryption anddecryption functions. Random keys, which are themselves stored encryptedtogether with the data, ensure that every data record remains separatefrom every other data record, and that only authorized persons canaccess it. Every patient card has its own record key. The system andmethod are not directed exclusively to patient data but can be appliedto any protectable data to which right of access is to be restricted.

U.S. Pat. No. 6,034,605 (March, Mar. 7, 2000), expressly incorporatedherein by reference, relates to a system and method for secure storageof personal information and for broadcast of the personal information ata time of emergency. A sealed package contains a medium storing personalinformation associated with an individual. The sealed package is storedat a facility until an emergency occurs. At a time of emergency, amissing person report concerning the individual generated by a lawenforcement agency is processed. The personal information in theindividual's sealed package is accessed in response to the missingperson report and then broadcast on an electronic bulletin boardaccessible via the Internet.

U.S. Pat. No. 6,042,005 (Basile, et al., Mar. 28, 2000), expresslyincorporated herein by reference, relates to a personal identificationsystem for children, that includes two forms of identification. Anidentification card carried by the user contains the user's personal andmedical information in an electronic medium. The identification cardincludes photographs of the user and their parent or legal guardian, aunique identification number for the user, and a list of corporatesponsors. The second identification device is to be worn by the user andincludes the user's unique identification number and an access telephonenumber. A user interface enables the users to update their storedpersonal and medical information.

Rights-Based Access to Database Records

U.S. Pat. No. 5,325,294 (Keene, Jun. 28, 1994), expressly incorporatedherein by reference, relates to a medical privacy system. A method andapparatus for authorized access to medical information concerning anindividual while preserving the confidentiality of, and preventingunauthorized access to, such information, is provided. A computerdatabase receives and stores the individual's medical information, afterthe individual is tested to establish this information and the date onwhich such information was most recently obtained. The computer databasedoes not contain the individual's name, address or any other similarinformation by which the individual can be identified. The individual isgiven an identification card containing a photograph or holographicimage of the individual and containing a confidential firstidentification number that is unique for the individual, where both theimage and the first identification number are visually perceptible andcannot be altered on the card without detection of such alteration. Theindividual is also given a confidential second identification numberthat is not contained on the card and need not be unique for thatindividual. The computer database can be accessed telephonically, andthe individual's medical information, or a portion thereof, can be readonly by an inquiror, if the inquiror or the individual first providesthe individual's first and second identification numbers. The inquirorcan use the image and first identification number on the individual'scard to confirm the identity of that individual but need not be told theindividual's second identification number. After inquiror establishesthe identity of the individual, the inquiror, with the assistance of theindividual, can obtain a telephonic readout of the individual's medicalinformation.

U.S. Pat. No. 5,499,293 (Behram, et al., Mar. 12, 1996), expresslyincorporated herein by reference, relates to a privacy protectedinformation medium using a data compression method, which uses anefficient data compression/decompression scheme using a passive datastorage media such as a card-based approach for storage of medical datainformation. The system operates on existing personal computer hardwarein a medical center or doctors' offices, doing away with expensiveinvestments in specialized technologies of central processing hardware.With the advent of inexpensive desktop computing, a number of inventionshave been offered to improve medical information storage and retrieval.They include the development of portable medical card technologies suchas SmartCards and optical cards, which are capable of storing medicalinformation, and can be carried by the patient. This card-based systemprovides a methodology for storage and retrieval of medical informationfrom a passive credit-card sized instrument. The card is manufacturedwith minimal expense using existing well-known optical scanning ormagnetic tape reading or a data interrogation means in a SmartCard basedsystem.

U.S. Pat. No. 5,987,440 (O'Neil, et al., Nov. 16, 1999), expresslyincorporated herein by reference, relates to a personal informationsecurity and exchange tool. Utilization of the E-Metro Community andPersonal Information Agents assure an effective and comprehensiveagent-rule based command and control of informational assets in anetworked computer environment. The concerns of informational privacyand informational self-determination are addressed squarely by affordingpersons and entities a trusted means to author, secure, search, process,and exchange personal and/or confidential information in a networkedcomputer environment. The formation of trusted electronic communitieswherein members command and control their digital persona, exchanging orbrokering for value the trusted utility of their informational assets ismade possible. The system provides for the trusted utilization ofpersonal data in electronic markets, providing both communities andindividuals aggregate and individual rule-based control of theprocessing of their personal data.

U.S. Pat. No. 6,029,160 (Cabrera, et al., Feb. 22, 2000), expresslyincorporated herein by reference, relates to a system and method forlinking a database system with a system for filing data. Extensions to adatabase system provide linkage between data in the database system andfiles in a system for filing data that is external to the databasesystem (“the filing system”). The linkage includes an external filereference (EFR) data type, which is defined in the database system forreference to files that are stored in the filing system. When entriesare made in the database system that include EFR data-type references tofiles in the filing system, control information is provided by thedatabase system to the filing system. The control information causes thefiling system to control processing of referenced files according toreferential constraints established in the database system.

U.S. Pat. No. 6,038,563 (Bapat, et al., Mar. 14, 2000), expresslyincorporated herein by reference, relates to a system and method forrestricting database access to managed object information using apermissions table that specifies access rights corresponding to useraccess rights to the managed objects. An access control database hasaccess control objects that collectively store information thatspecifies access rights by users to specified sets of the managedobjects. The specified access rights include access rights to obtainmanagement information from the network. An access control serverprovides users access to the managed objects in accordance with theaccess rights specified by the access control database. An informationtransfer mechanism sends management information from the network to adatabase management system (DBMS) for storage in a set of databasetables. Each database table stores management information for acorresponding class of managed objects. An access control procedurelimits access to the management information stored in the databasetables using at least one permissions table. A permissions table definesa subset of rows in the database tables that are accessible to at leastone of the users. The set of database table rows that are accessiblecorresponds to the managed object access rights specified by the accesscontrol database. A user access request to access management informationin the database is intercepted, and the access control procedure isinvoked when the user access request is a select statement. The databaseaccess engine accesses information in the set of database tables usingthe permissions tables such that each user is allowed access only tomanagement information in the set of database tables that the user wouldbe allowed by the access control database to access.

U.S. Pat. No. 6,041,411 (Wyatt, Mar. 21, 2000), expressly incorporatedherein by reference, relates to a method for defining and verifying useraccess rights to computer information. A method is provided forminimizing the potential for unauthorized use of digital information,particularly software programs, digital content and other computerinformation, by verifying user access rights to electronicallytransmitted digital information. A second computer system transmitsrequested digital information to a requesting first computing system inwrapped form, which includes digital instructions that must besuccessfully executed, or unwrapped, before access to the digitalinformation is allowed. Successful unwrapping requires that certainconditions must be verified in accordance with the digital instructions,thereby allowing access to the digital information. In one embodiment,verification includes locking the digital information to the requestingcomputer system by comparing a generated digital fingerprint associatedwith the digital information to a digital fingerprint previouslygenerated which is unique to the requesting computer system.

U.S. Pat. No. 6,044,401 (Harvey, Mar. 28, 2000), expressly incorporatedherein by reference, relates to a network sniffer for monitoring andreporting network information that is not privileged beyond a user'sprivilege level. Nodes in the network include a network sniffer and anaccess sniffer. The access sniffer includes an access element and anaccess interface. The access element preferably includes a memory and adatabase. The access element accesses the network sniffer and filtersout unavailable information by using information such as address andport numbers gathered by the network sniffer. Unavailable informationincludes information which is non-public or beyond the privilege levelof the particular user. The access element evaluates data streams thatare public information to determine if the data streams meet apredetermined criterion. If the data streams meet the predeterminedcriteria, then the data is saved in the database. The access elementtransfers only the information available to the particular user to theaccess interface. The access element can time itself for a limitedamount of time for execution. Once the predetermined time period hasexpired, the access element is complete and it can save and transfer theappropriate information to the access interface.

U.S. Pat. No. 6,052,688 (Thorsen, Apr. 18, 2000), expressly incorporatedherein by reference, relates to a computer-implemented control of accessto atomic data items. The method comprises the steps of initiating andmaintaining data access nodes in a variable access structure. Eachaccess node is provided with references to other access nodes and/or todata items representing an object, each data item carrying only theamount of information that is relevant for its purpose. The data itemsor the references are provided with a time parameter thus enablingversion control and the possibility to handle static or slowly changingdata and frequently changed and updated data in a corresponding manner.The access nodes comprise access control parameters for access controlfrom a safety point of view as well as for enabling different views ofthe access structure and underlying data and objects.

U.S. Pat. No. 6,073,106 (Rozen, et al., Jun. 6, 2000), expresslyincorporated herein by reference, relates to a method of managing andcontrolling access to personal information. A participant is prompted toprovide a constant identifier and a selected password via Internetcommunications or via phone/fax/mail. Emergency and confidentialcategories of medical information are identified, and the participant isprompted to provide personal information in each of the categories and adifferent personal identification number (E-PIN, C-PIN) for eachcategory. The participant is also prompted to provide an instruction todisclose or to not disclose the personal information in the emergencycategory in the event a requester of the information is an emergencymedical facility and is unable to provide the participant's E-PIN.Alteration of any of the participant's medical information is enabledupon presentation of the participant's identifier and password by therequester. The emergency information or the confidential information isdisclosed upon presentation of the participant's identifier and E-PIN orC-PIN. In addition, the emergency information is disclosed to anemergency medical facility verified as such by a service provider in theevent the participant has provided an instruction to disclose theemergency information. Storage and access to health related documentssuch as healthcare power of attorney, consent for treatment, andeyeglass prescription is also provided.

U.S. Pat. No. 6,073,234 (Kigo, et al., Jun. 6, 2000), expresslyincorporated herein by reference, relates to a device and method forauthenticating user's access rights to resources. Both of a user sideand a protect side such as a programmer of an application programmerneed not handle a large number of inherent information such asauthentication keys. An access ticket generation device generates anaccess ticket from user unique identifying information and access rightsauthentication feature information. As unique security characteristicinformation, there is used a secret key of an elliptic curve encryptionor an ElGamal encryption. A proof data generation device receives theaccess ticket, converts authentication data received from a proof dataverification device into proof data by use of the access ticket and theuser unique identifying information, and returns the resultant proofdata to the proof data verification device. The proof data generationdevice or the proof data verification device decrypts theabove-mentioned encryption. The proof data verification device verifiesthe access rights as correct only when a combination of an access ticketand user unique identifying information used in the proof datageneration device is correct.

Role-Based Access

U.S. Pat. No. 6,023,765 (Kuhn, Feb. 8, 2000; Implementation ofrole-based access control in multi-level secure systems), expresslyincorporated herein by reference, relates to a system and method forimplementation of role-based access control in multi-level securesystems. Role-based access control (RBAC) is implemented on amulti-level secure (MLS) system by establishing a relationship betweenprivileges within the RBAC system and pairs of levels and compartmentswithin the MLS system. The advantages provided by RBAC, that is,reducing the overall number of connections that must be maintained, and,for example, greatly simplifying the process required in response to achange of job status of individuals within an organization, are thenrealized without loss of the security provided by MLS. A trustedinterface function is developed to ensure that the RBAC rules permittingindividual's access to objects are followed rigorously, and provides aproper mapping of the roles to corresponding pairs of levels andcompartments. No other modifications are necessary. Access requests fromsubjects are mapped by the interface function to pairs of levels andcompartments, after which access is controlled entirely by the rules ofthe MLS system.

See also, U.S. Pat. No. 6,073,242 (Electronic authority server); U.S.Pat. No. 6,073,240 (Method and apparatus for realizing computersecurity); U.S. Pat. No. 6,064,977 (Web server with integratedscheduling and calendaring); U.S. Pat. No. 6,055,637 (System and methodfor accessing enterprise-wide resources by presenting to the resource atemporary credential); U.S. Pat. No. 6,044,466 (Flexible and dynamicderivation of permissions); U.S. Pat. No. 6,041,349 (Systemmanagement/network correspondence display method and system therefore);U.S. Pat. No. 6,014,666 (Declarative and programmatic access control ofcomponent-based server applications using roles); U.S. Pat. No.5,991,877 (Object-oriented trusted application framework); U.S. Pat. No.5,978,475 (Event auditing system); U.S. Pat. No. 5,949,866(Communications system for establishing a communication channel on thebasis of a functional role or task); U.S. Pat. No. 5,925,126 (Method forsecurity shield implementation in computer system's software); U.S. Pat.No. 5,911,143 (Method and system for advanced role-based access controlin distributed and centralized computer systems); U.S. Pat. No.5,797,128 (System and method for implementing a hierarchical policy forcomputer system administration); U.S. Pat. No. 5,761,288 (Servicecontext sensitive features and applications); U.S. Pat. No. 5,751,909(Database system with methods for controlling object interaction byestablishing database contracts between objects); U.S. Pat. No.5,748,890 (Method and system for authenticating and auditing access by auser to non-natively secured applications); U.S. Pat. No. 5,621,889(Facility for detecting intruders and suspect callers in a computerinstallation and a security system including such a facility); U.S. Pat.No. 5,535,383 (Database system with methods for controlling objectinteraction by establishing database contracts between objects); U.S.Pat. No. 5,528,516 (Apparatus and method for event correlation andproblem reporting); U.S. Pat. No. 5,481,613 (Computer networkcryptographic key distribution system); U.S. Pat. No. 5,347,578(Computer system security); U.S. Pat. No. 5,265,221 (Access restrictionfacility method and apparatus), each of which is expressly incorporatedherein by reference.

Secure Networks

U.S. Pat. No. 5,579,393 (Conner, et al., Nov. 26, 1996), expresslyincorporated herein by reference, relates to a system and method forsecure medical and dental record interchange, comprising a providersystem and a payer system. The provider system includes a digitalimager, a processing unit, a data transmission/reception device, and amemory having a provider management unit and a security unit. For eachimage acquired from the digital imager, the provider management unitgenerates a unique image ID, and creates an image relation structurehaving a source indicator, a status indicator, and a copy-fromindicator. The provider management unit organizes images into a messagefor transmission to a payer system. The security unit performs messageencryption, image signature generation, and message signaturegeneration. The payer system includes a processing unit, a datatransmission/reception device, and a memory having a payer managementunit and a security unit. The payer system's security unit validatesmessage signatures and image signatures received. The payer managementunit generates a message rejection notification or a message acceptancenotification. A method for provider-side secure medical and dentalrecord interchange comprises the steps of: acquiring an image;generating a unique image ID and an image relation structure;maintaining a status indicator, a source indicator, and a copy-fromindicator; generating an image signature; creating a message thatincludes the image; and generating a message signature. A method forpayer-side secure medical and dental record interchange comprises thesteps of: validating a message signature; validating an image signature;and selectively generating a message acceptance notification or amessage rejection notification.

U.S. Pat. No. 5,890,129 (Spurgeon, Mar. 30, 1999), expresslyincorporated herein by reference, relates to a system for exchanginghealth care insurance information. An information-exchange system isprovided for controlling the exchange of business and clinicalinformation between an insurer and multiple health care providers. Thesystem includes an information-exchange computer that is connected overa local area network to an insurer computer using a proprietary databaseand over the Internet to health-care provider computers using opendatabase-compliant databases. The information-exchange computer receivessubscriber insurance data from the insurance computer database,translates the insurance data into an exchange database, and pushes thesubscriber insurance data out over the Internet to the computer operatedby the health-care provider assigned to each subscriber. Theinformation-exchange system stores the data in the provider database.The information-exchange systems also provide for the preparation,submission, processing, and payment of claims over the local areanetwork and with push technology over the Internet. In addition, priorauthorization requests may be initiated in the provider computers andexchanged over the information-exchange system for review by the insurercomputer. Processed reviews are transmitted back to the providercomputer and to a specialist computer, if required, using pushtechnology over the Internet.

U.S. Pat. No. 5,930,759 (Moore, et al., Jul. 27, 1999), expresslyincorporated herein by reference, relates to a method and system forprocessing health care electronic data transactions. A system or networkfor assembling, filing and processing health care data transactions andinsurance claims made by patients pursuant to health care policiesissued to the patients by insurance companies or other carriers forservice provided to the patients at health care facilities is provided.The network comprises a multitude of participating patients, a multitudeof health care facilities, and a plurality of insurance companies orother carriers. Each of the patients has a personal data file includinga set of patient related data encoded in a machine readable format, andeach of the health care facilities has a telecommunications unit and afile reader to read the data on the personal data files and to transmitthe patient related data to the telecommunications unit at the facility.The network further includes a central claims processing unit connectedto the telecommunications units of the health care facilities to receivethe electronic claim forms from those facilities and to adjudicate thoseclaims.

U.S. Pat. No. 5,933,498 (Schneck, et al., Aug. 3, 1999), expresslyincorporated herein by reference, relates to a system for controllingaccess and distribution of digital property represented as data.Portions of the data are protected and rules concerning access rights tothe data are determined. Access to the protected portions of the data isprevented, other than in a non-useable form; and users are providedaccess to the data only in accordance with the rules as enforced by amechanism protected by tamper detection. A method is also provided fordistributing data for subsequent controlled use of those data. Themethod includes protecting portions of the data; preventing access tothe protected portions of the data other than in a non-useable form;determining rules concerning access rights to the data; protecting therules; and providing a package including: the protected portions of thedata and the protected rules. A user is provided controlled access tothe distributed data only in accordance with the rules as enforced by amechanism protected by tamper protection. A device is provided forcontrolling access to data having protected data portions and rulesconcerning access rights to the data. The device includes means forstoring the rules; and means for accessing the protected data portionsonly in accordance with the rules, whereby user access to the protecteddata portions is permitted only if the rules indicate that the user isallowed to access the portions of the data.

U.S. Pat. No. 5,978,918 (Scholnick, et al., Nov. 2, 1999), expresslyincorporated herein by reference, relates to a practical method andsystem for supplementing or replacing current security protocols used onpublic networks involving the distribution of a proprietary system foruse on a public network access provider's network. The proprietarysystem includes processing hardware and proprietary software. Theproprietary system transmits private data, outside the Internet, overproprietary lines to a back-end process. When a “sender” sends privatedata it is sent over the proprietary system to a back-end process. Theback-end process returns a time sensitive token that the “sender” sendsto the “receiver”. The “receiver” takes the time sensitive token anduses it to either retrieve the private data, over a proprietary system,or initiate a transaction with a financial institution. Encryption isused to allow authentication of the participants. This method can beused in conjunction with Secure Socket Layer (SSL) encryption and/or theSecure Electronic Transaction (SET) protocol.

U.S. Pat. No. 6,005,943 (Cohen, et al., Dec. 21, 1999), expresslyincorporated herein by reference, relates to electronic identifiers fornetwork terminal devices. The generation of electronic identifiers fornetwork interface units connected to a data network for use in detectingunauthorized decryption of encrypted data transmitted over the datanetwork. A random number is generated for use as a private keydecryption code and is stored in memory in each network interface unit.A public key is calculated from the stored private key using anon-invertible mathematical formula. If the calculated public key isunique, then a portion of the public key (e.g. a subset of its bits) isstored in a data provider database as an electronic identifier for usein detecting unauthorized decryption of data by the interface unit.

U.S. Pat. No. 6,009,526 (Choi, Dec. 28, 1999), expressly incorporatedherein by reference, relates to an information security system fortracing information outflow from a remotely accessible computer orcomputer network. The system includes an internal communication systemthat has at least one internal computer for transmitting securityinformation by tracing data through communication equipment, outputtingthe data to an external output means, and connecting the internalcomputer to an external network. A communication monitoring devicestores information regarding the data that is to be transmitted byapplying a security policy according to a security grade assigned to thedestination to which the data is to be transmitted. Thecommunication-monitoring device is configured for extracting theidentification of the destination from the transmitted data. It alsoincludes a communication-monitoring server for storing and displayingpredetermined information about the data to be transmitted and fordetermining whether the tracing information is stored according to thesecurity grade for the identified destination. A method of operating thedisclosed system is also described.

U.S. Pat. No. 6,021,202 (Anderson, et al., Feb. 1, 2000), expresslyincorporated herein by reference, relates to a method and system forprocessing electronic documents, which includes a markup languageaccording to the SGML standard in which document type definitions arecreated under which electronic documents are divided into blocks thatare associated with logical fields that are specific to the type ofblock. Each of many different types of electronic documents can have arecord mapping to a particular environment, such as a legacy environmentof a banking network, a hospital's computer environment for electronicrecord keeping, a lending institution's computer environment forprocessing loan applications, or a court or arbitrator's computersystem. Semantic document type definitions for various electronicdocument types (including, for example, electronic checks, mortgageapplications, medical records, prescriptions, contracts, and the like)can be formed using mapping techniques between the logical content ofthe document and the block that is defined to include such content.Also, the various document types are preferably defined to satisfyexisting customs, protocols and legal rules.

U.S. Pat. No. 6,021,491 (Renaud, Feb. 1, 2000), expressly incorporatedherein by reference, relates to digital signatures for data streams anddata archives. Methods, apparatuses and products are provided forverifying the authenticity of data within one or more data files. Eachdata file is provided with an identifier, such as a one-way hashfunction or cyclic redundancy checksum. A signature file, that includesthe identifiers for one or more data files, is provided with a digitalsignature created with a signature algorithm. The data file(s) andsignature file are then transferred, or otherwise provided to a user.The user verifies the digital signature in the signature file using asignature-verifying algorithm. Once verified as being authentic, thesignature file can be used to verify each of the data files.Verification of the data files can be accomplished by comparing theidentifier for each data file with the corresponding identifier in thesignature file. If the identifiers in the data and signature filesmatch, then the data file can be marked as authentic. If the identifiersdo not match then the data file can be rejected or otherwise dealt withaccordingly.

U.S. Pat. No. 6,021,497 (Bouthillier, et al., Feb. 1, 2000), expresslyincorporated herein by reference, relates to a secured network systemwhich will allow only authorized users of the seed network system toaccess classified data provided by a secured network server. The securednetwork system includes a readykey controller, which has connectedthereto a plurality of card readers. A user of the secured networksystem inserts a microchip embedded card into one of the card readerswhich then provides an authorization signal to the readykey controllerindicating that the user is authorized to use one of a plurality ofcomputers within the secured network system to receive and processclassified data. The readykey controller sends an enable signal to adata relay switch enabling a data line associated with the card readerand the computer selected by the user allowing classified data to betransmitted from the secured network server through the data relayswitch to the selected computer. Each of the three computers also has apower relay switch connected thereto which is activated by the readykeycontroller whenever authorization to activate the computer is providedto the readykey controller from another of the plurality of cardreaders.

U.S. Pat. No. 6,023,762 (Dean, et al., Feb. 8, 2000), expresslyincorporated herein by reference, relates to a data access and retrievalsystem which comprises a plurality of user data sources each storingelectronic data signals describing data specific to a user, or enablingservices selected by a user; an agent device which is configurable toselect individual ones of the user data sources and present selectionsof user data and service data to a set of callers who may interrogatethe agent device remotely over a communications network; a plurality ofservice terminals capable of communicating with the agent device over acommunications network the service terminals operable by callers; and aplurality of key devices, storing caller information and security codeinformation for enabling remote access of selections of user data and/orservices to be transmitted over a communications network to a callerlocated at a service terminal.

U.S. Pat. No. 6,029,245 (Scanlan, Feb. 22, 2000), expressly incorporatedherein by reference, relates to a method and system for dynamicallyassigning security parameters to hypertext markup language (HTML) pagesof an information provider on the worldwide web, whereby only one set ofHTML pages need be stored and maintained for retrieval by clientcomputers using differing security protocols. A security injectionprofile is provided for storing security parameters for each respectivesecurity protocol. When a browser enabled with a particular securityprotocol requests one of the HTML pages in the secure set, the page isaccessed from web server storage, security parameters of the particularprotocol are accessed and injected into the accessed page, and the pageis sent to the requesting browser.

U.S. Pat. No. 6,049,875 (Suzuki, et al., Apr. 11, 2000), expresslyincorporated herein by reference, relates to a security apparatus andmethod. A service is supplied to a user while maintaining the securityof the service. A person discrimination section discriminates the userto be supplied the service. A user situation decision section decideswhether the user is authorized to use the service. An infringementsituation decision section detects whether a non-user intrudes into ause area of the service in order to decide whether the security of theservice is infringed. A service control section supplies the service tothe user in case the person discrimination section discriminates theuser, and controls a supply of the service if the use situation decisionsection decides the user is not under the situation to use the serviceor the infringement situation decision section decides that the securityof the service is infringed.

U.S. Pat. No. 6,055,508 (Naor, et al., Apr. 25, 2000), expresslyincorporated herein by reference, relates to a method for secureaccounting and auditing on a communications network. A method for secureaccounting and auditing of a communications network operates in anenvironment in which many servers serve an even larger number of clients(e.g. the web), and are required to meter the interaction betweenservers and clients (e.g. counting the number of clients that wereserved by a server). The method (metering process) is very efficient anddoes not require extensive usage of any new communication channels. Themetering is secure against fraud attempts by servers that inflate thenumber of their clients and against clients that attempt to disrupt themetering process. Several secure and efficient constructions of thismethod are based on efficient cryptographic techniques, are also veryaccurate, and preserve the privacy of the clients.

U.S. Pat. No. 6,065,119 (Sandford, II, et al., May 16, 2000), expresslyincorporated herein by reference, relates to a method of authenticatingdigital data such as measurements made for medical, environmentalpurposes, or forensic purpose, and destined for archival storage ortransmission through communications channels in which corruption ormodification in part is possible. Authenticated digital data containdata-metric quantities that can be constructed from the digital data byauthorized persons having a digital key. To verify retrieved or receiveddigital data, the data-metrics constructed from the retrieved orreceived data are compared with similar data-metrics calculated for theretrieved or received digital data. The comparison determines thelocation and measures the amount of modification or corruption in theretrieved or received digital data.

U.S. Pat. No. 6,073,240 (Kurtzberg, et al., Jun. 6, 2000), expresslyincorporated herein by reference, relates to a method and apparatus forrealizing computer security. The method includes the steps ofestablishing an authorization window for enabling computer systemactions consistent with an authorization rule; and, monitoring theactions as an indicia of conformance to the authorization rule. Themethod preferably provides a pattern of system actions as an indicia ofcompliance with an authorization rule, and provides notification ofpredetermined patterns.

U.S. Pat. No. 6,075,860 (Ketcham, Jun. 13, 2000), expressly incorporatedherein by reference, relates to an apparatus and method forauthentication and encryption of a remote terminal over a wireless link.A method and system is provided for authenticating an authorized user ofa remote terminal attempting to interconnect with a computer networkover a wireless modem is provided. An encrypted wireless communicationchannel is established between a remote terminal and a network serverfor facilitating the authentication process. An authorized user presentsan authentication card containing credentials including a useridentifier and an authentication encryption key to a remote terminal.The remote terminal establishes a wireless communication channel with anetwork server that provides a firewall between unauthenticated usersand a computer network. The network server and the remote terminal thenexchange encrypted information thus verifying the authenticity of eachparty. The remote terminal and the network server each independentlygenerate a data encryption key for use in establishing a secureencrypted wireless communication channel therebetween.

U.S. Pat. No. 6,075,861 (Miller, II, Jun. 13, 2000), expresslyincorporated herein by reference, relates to a security access system,having an entry access system that includes a locking mechanism enablingauthorized entry at a secured entry point to a closed access area orcomputing device. Entry is approved in response to an interactionbetween an intended entrant and the entry access system that involves aninterchange of multidigit numbers and use of ID and PINs for generationof a multidigit check number to establish authenticity of a request forentry.

Cryptographic Technology

U.S. Pat. No. 5,956,408 (Arnold, Sep. 21, 1999), expressly incorporatedherein by reference, relates to an apparatus and method for securedistribution of data. Data, including program and software updates, isencrypted by a public key encryption system using the private key of thedata sender. The sender also digitally signs the data. The receiverdecrypts the encrypted data, using the public key of the sender, andverifies the digital signature on the transmitted data. The programinteracts with basic information stored within the confines of thereceiver. As result of the interaction, the software updates areinstalled within the confines of the user, and the basic informationstored within the confines of the user is changed.

U.S. Pat. No. 5,982,891 (Ginter, et al., Nov. 9, 1999); U.S. Pat. No.5,949,876 (Ginter, et al., Sep. 7, 1999); and U.S. Pat. No. 5,892,900(Ginter, et al., Apr. 6, 1999), expressly incorporated herein byreference, relate to systems and methods for secure transactionmanagement and electronic rights protection. Electronic appliances, suchas computers, help to ensure that information is accessed and used onlyin authorized ways, and maintain the integrity, availability, and/orconfidentiality of the information. Such electronic appliances provide adistributed virtual distribution environment (VDE) that may enforce asecure chain of handling and control, for example, to control and/ormeter or otherwise monitor use of electronically stored or disseminatedinformation. Such a virtual distribution environment may be used toprotect rights of various participants in electronic commerce and otherelectronic or electronic-facilitated transactions. Distributed and otheroperating systems, environments and architectures, such as, for example,those using tamper-resistant hardware-based processors, may establishsecurity at each node. These techniques may be used to support anall-electronic information distribution, for example, utilizing the“electronic highway.”

U.S. Pat. No. 6,009,177 (Sudia, Dec. 28, 1999), expressly incorporatedherein by reference, relates to a cryptographic system and method with akey escrow feature that uses a method for verifiably splitting users'private encryption keys into components and for sending those componentsto trusted agents chosen by the particular users, and provides a systemthat uses modern public key certificate management, enforced by a chipdevice that also self-certifies. The methods for key escrow andreceiving an escrow certificate are also applied herein to a moregeneralized case of registering a trusted device with a trusted thirdparty and receiving authorization from that party enabling the device tocommunicate with other trusted devices. Further preferred embodimentsprovide for rekeying and upgrading of device firmware using acertificate system, and encryption of stream-oriented data.

U.S. Pat. No. 6,052,467 (Brands, Apr. 18, 2000), expressly incorporatedherein by reference, relates to a system for ensuring that the blindingof secret-key certificates is restricted, even if the issuing protocolis performed in parallel mode. A cryptographic method is disclosed thatenables the issuer in a secret-key certificate issuing protocol to issuetriples consisting of a secret key, a corresponding public key, and asecret-key certificate of the issuer on the public key, in such a waythat receiving parties can blind the public key and the certificate, butcannot blind a predetermined non-trivial predicate of the secret keyeven when executions of the issuing protocol are performed in parallel.

U.S. Pat. No. 6,052,780 (Glover, Apr. 18, 2000), expressly incorporatedherein by reference, relates to a computer system and process foraccessing an encrypted and self-decrypting digital information productwhile restricting access to decrypted digital information. Some of theseproblems with digital information protection systems may be overcome byproviding a mechanism that allows a content provider to encrypt digitalinformation without requiring either a hardware or platform manufactureror a content consumer to provide support for the specific form ofcorresponding decryption. This mechanism can be provided in a mannerthat allows the digital information to be copied easily for back-uppurposes and to be transferred easily for distribution, but which shouldnot permit copying of the digital information in decrypted form. Inparticular, the encrypted digital information is stored as an executablecomputer program that includes a decryption program that decrypts theencrypted information to provide the desired digital information, uponsuccessful completion of an authorization procedure by the user. Incombination with other mechanisms that track distribution, enforceroyalty payments and control access to decryption keys, an improvedmethod is provided for identifying and detecting sources of unauthorizedcopies. Suitable authorization procedures also enable the digitalinformation to be distributed for a limited number of uses and/or users,thus enabling per-use fees to be charged for the digital information.

See also, U.S. Pat. No. 4,200,770 (Cryptographic apparatus and method);U.S. Pat. No. 4,218,582 (Public key cryptographic apparatus and method);U.S. Pat. No. 4,264,782 (Method and apparatus for transaction andidentity verification); U.S. Pat. No. 4,306,111 (Simple and effectivepublic-key cryptosystem); U.S. Pat. No. 4,309,569 (Method of providingdigital signatures); U.S. Pat. No. 4,326,098 (High security system forelectronic signature verification); U.S. Pat. No. 4,351,982 (RSAPublic-key data encryption system having large random prime numbergenerating microprocessor or the like); U.S. Pat. No. 4,365,110(Multiple-destinational cryptosystem for broadcast networks); U.S. Pat.No. 4,386,233 (Crytographic key notarization methods and apparatus);U.S. Pat. No. 4,393,269 (Method and apparatus incorporating a one-waysequence for transaction and identity verification); U.S. Pat. No.4,399,323 (Fast real-time public key cryptography); U.S. Pat. No.4,405,829 (Cryptographic communications system and method); U.S. Pat.No. 4,438,824 (Apparatus and method for cryptographic identityverification); U.S. Pat. No. 4,453,074 (Protection system forintelligent cards); U.S. Pat. No. 4,458,109 (Method and apparatusproviding registered mail features in an electronic communicationsystem); U.S. Pat. No. 4,471,164 (Stream cipher operation using publickey cryptosystem); U.S. Pat. No. 4,514,592 (Cryptosystem); U.S. Pat. No.4,528,588 (Method and apparatus for marking the information content ofan information carrying signal); U.S. Pat. No. 4,529,870 (Cryptographicidentification, financial transaction, and credential device); U.S. Pat.No. 4,558,176 (Computer systems to inhibit unauthorized copying,unauthorized usage, and automated cracking of protected software); U.S.Pat. No. 4,567,600 (Method and apparatus for maintaining the privacy ofdigital messages conveyed by public transmission); U.S. Pat. No.4,575,621 (Portable electronic transaction device and system therefor);U.S. Pat. No. 4,578,531 (Encryption system key distribution method andapparatus); U.S. Pat. No. 4,590,470 (User authentication systememploying encryption functions); U.S. Pat. No. 4,595,950 (Method andapparatus for marking the information content of an information carryingsignal); U.S. Pat. No. 4,625,076 (Signed document transmission system);U.S. Pat. No. 4,633,036 (Method and apparatus for use in public-key dataencryption system); U.S. Pat. No. 6,026,379 (System, method and articleof manufacture for managing transactions in a high availability system);U.S. Pat. No. 6,026,490 (Configurable cryptographic processing engineand method); U.S. Pat. No. 6,028,932 (Copy prevention method andapparatus for digital video system); U.S. Pat. No. 6,028,933 (Encryptingmethod and apparatus enabling multiple access for multiple services andmultiple transmission modes over a broadband communication network);U.S. Pat. No. 6,028,936 (Method and apparatus for authenticatingrecorded media); U.S. Pat. No. 6,028,937 (Communication device whichperforms two-way encryption authentication in challenge responseformat); U.S. Pat. No. 6,028,939 (Data security system and method); U.S.Pat. No. 6,029,150 (Payment and transactions in electronic commercesystem); U.S. Pat. No. 6,029,195 (System for customized electronicidentification of desirable objects); U.S. Pat. No. 6,029,247 (Methodand apparatus for transmitting secured data); U.S. Pat. No. 6,031,913(Apparatus and method for secure communication based on channelcharacteristics); U.S. Pat. No. 6,031,914 (Method and apparatus forembedding data, including watermarks, in human perceptible images); U.S.Pat. No. 6,034,618 (Device authentication system which allows theauthentication function to be changed); U.S. Pat. No. 6,035,041(Optimal-resilience, proactive, public-key cryptographic system andmethod); U.S. Pat. No. 6,035,398 (Cryptographic key generation usingbiometric data); U.S. Pat. No. 6,035,402 (Virtual certificateauthority); U.S. Pat. No. 6,038,315 (Method and system for normalizingbiometric variations to authenticate users from a public database andthat ensures individual biometric data privacy); U.S. Pat. No. 6,038,316(Method and system for protection of digital information); U.S. Pat. No.6,038,322 (Group key distribution); U.S. Pat. No. 6,038,581 (Scheme forarithmetic operations in finite field and group operations over ellipticcurves realizing improved computational speed); U.S. Pat. No. 6,038,665(System and method for backing up computer files over a wide areacomputer network); U.S. Pat. No. 6,038,666 (Remote identity verificationtechnique using a personal identification device); U.S. Pat. No.6,041,122 (Method and apparatus for hiding cryptographic keys utilizingautocorrelation timing encoding and computation); U.S. Pat. No.6,041,123 (Centralized secure communications system); U.S. Pat. No.6,041,357 (Common session token system and protocol); U.S. Pat. No.6,041,408 (Key distribution method and system in secure broadcastcommunication); U.S. Pat. No. 6,041,410 (Personal identification fob);U.S. Pat. No. 6,044,131 (Secure digital x-ray image authenticationmethod); U.S. Pat. No. 6,044,155 (Method and system for securelyarchiving core data secrets); U.S. Pat. No. 6,044,157 (Microprocessorsuitable for reproducing AV data while protecting the AV data fromillegal copy and image information processing system using themicroprocessor); U.S. Pat. No. 6,044,205 (Communications system fortransferring information between memories according to processestransferred with the information); U.S. Pat. No. 6,044,349 (Secure andconvenient information storage and retrieval method and apparatus); U.S.Pat. No. 6,044,350 (Certificate meter with selectable indemnificationprovisions); U.S. Pat. No. 6,044,388 (Pseudorandom number generator);U.S. Pat. No. 6,044,462 (Method and apparatus for managing keyrevocation); U.S. Pat. No. 6,044,463 (Method and system for messagedelivery utilizing zero knowledge interactive proof protocol); U.S. Pat.No. 6,044,464 (Method of protecting broadcast data by fingerprinting acommon decryption function); U.S. Pat. No. 6,044,466 (Flexible anddynamic derivation of permissions); U.S. Pat. No. 6,044,468 (Securetransmission using an ordinarily insecure network communication protocolsuch as SNMP); U.S. Pat. No. 6,047,051 (Implementation of charging in atelecommunications system); U.S. Pat. No. 6,047,066 (Communicationmethod and device); U.S. Pat. No. 6,047,067 (Electronic-monetarysystem); U.S. Pat. No. 6,047,072 (Method for secure key distributionover a nonsecure communications network); U.S. Pat. No. 6,047,242(Computer system for protecting software and a method for protectingsoftware); U.S. Pat. No. 6,047,268 (Method and apparatus for billing fortransactions conducted over the internet); U.S. Pat. No. 6,047,269(Self-contained payment system with circulating digital vouchers); U.S.Pat. No. 6,047,374 (Method and apparatus for embedding authenticationinformation within digital data); U.S. Pat. No. 6,047,887 (System andmethod for connecting money modules); U.S. Pat. No. 6,049,610 (Methodand apparatus for digital signature authentication); U.S. Pat. No.6,049,612 (File encryption method and system); U.S. Pat. No. 6,049,613(Method and apparatus for encrypting, decrypting, and providing privacyfor data values); U.S. Pat. No. 6,049,671 (Method for identifying andobtaining computer software from a network computer); U.S. Pat. No.6,049,785 (Open network payment system for providing for authenticationof payment orders based on a confirmation electronic mail message); U.S.Pat. No. 6,049,786 (Electronic bill presentment and payment system whichdeters cheating by employing hashes and digital signatures); U.S. Pat.No. 6,049,787 (Electronic business transaction system with notarizationdatabase and means for conducting a notarization procedure); U.S. Pat.No. 6,049,838 (Persistent distributed capabilities); U.S. Pat. No.6,049,872 (Method for authenticating a channel in large-scaledistributed systems); U.S. Pat. No. 6,049,874 (System and method forbacking up computer files over a wide area computer network); U.S. Pat.No. 6,052,466 (Encryption of data packets using a sequence of privatekeys generated from a public key exchange); U.S. Pat. No. 6,052,467(System for ensuring that the blinding of secret-key certificates isrestricted, even if the issuing protocol is performed in parallel mode);U.S. Pat. No. 6,052,469 (Interoperable cryptographic key recovery systemwith verification by comparison); U.S. Pat. No. 6,055,314 (System andmethod for secure purchase and delivery of video content programs); U.S.Pat. No. 6,055,321 (System and method for hiding and extracting messagedata in multimedia data); U.S. Pat. No. 6,055,508 (Method for secureaccounting and auditing on a communications network); U.S. Pat. No.6,055,512 (Networked personal customized information and facilityservices); U.S. Pat. No. 6,055,636 (Method and apparatus forcentralizing processing of key and certificate life cycle management);U.S. Pat. No. 6,055,639 (Synchronous message control system in aKerberos domain); U.S. Pat. No. 6,056,199 (Method and apparatus forstoring and reading data); U.S. Pat. No. 6,057,872 (Digital coupons forpay televisions); U.S. Pat. No. 6,058,187 (Secure telecommunicationsdata transmission); U.S. Pat. No. 6,058,188 (Method and apparatus forinteroperable validation of key recovery information in a cryptographicsystem); U.S. Pat. No. 6,058,189 (Method and system for performingsecure electronic monetary transactions); U.S. Pat. No. 6,058,193(System and method of verifying cryptographic postage evidencing using afixed key set); U.S. Pat. No. 6,058,381 (Many-to-many payments systemfor network content materials); U.S. Pat. No. 6,058,383 (Computationallyefficient method for trusted and dynamic digital objects dissemination);U.S. Pat. No. 6,061,448 (Method and system for dynamic server documentencryption); U.S. Pat. No. 6,061,454 (System, method, and computerprogram for communicating a key recovery block to enable third partymonitoring without modification to the intended receiver); U.S. Pat. No.6,061,692 (System and method for administering a meta database as anintegral component of an information server); U.S. Pat. No. 6,061,789(Secure anonymous information exchange in a network); U.S. Pat. No.6,061,790 (Network computer system with remote user data enciphermethodology); U.S. Pat. No. 6,061,791 (Initial secret key establishmentincluding facilities for verification of identity); U.S. Pat. No.6,061,792 (System and method for fair exchange of time-independentinformation goods over a network); U.S. Pat. No. 6,061,794 (System andmethod for performing secure device communications in a peer-to-peer busarchitecture); U.S. Pat. No. 6,061,796 (Multi-access virtual privatenetwork); U.S. Pat. No. 6,061,799 (Removable media for password basedauthentication in a distributed system); U.S. Pat. No. 6,064,723(Network-based multimedia communications and directory system and methodof operation); U.S. Pat. No. 6,064,738 (Method for encrypting anddecrypting data using chaotic maps); U.S. Pat. No. 6,064,740 (Method andapparatus for masking modulo exponentiation calculations in anintegrated circuit); U.S. Pat. No. 6,064,741 (Method for thecomputer-aided exchange of cryptographic keys between a user computerunit U and a network computer unit N); U.S. Pat. No. 6,064,764 (Fragilewatermarks for detecting tampering in images); U.S. Pat. No. 6,064,878(Method for separately permissioned communication); U.S. Pat. No.6,065,008 (System and method for secure font subset distribution); U.S.Pat. No. 6,067,620 (Stand alone security device for computer networks);U.S. Pat. No. 6,069,647 (Conditional access and content securitymethod); U.S. Pat. No. 6,069,952 (Data copyright management system);U.S. Pat. No. 6,069,954 (Cryptographic data integrity with serial bitprocessing and pseudo-random generators); U.S. Pat. No. 6,069,955(System for protection of goods against counterfeiting); U.S. Pat. No.6,069,969 (Apparatus and method for electronically acquiring fingerprintimages); U.S. Pat. No. 6,069,970 (Fingerprint sensor and token readerand associated methods); U.S. Pat. No. 6,070,239 (System and method forexecuting verifiable programs with facility for using non-verifiableprograms from trusted sources); U.S. Pat. No. 6,072,870 (System, methodand article of manufacture for a gateway payment architecture utilizinga multichannel, extensible, flexible architecture); U.S. Pat. No.6,072,874 (Signing method and apparatus using the same); U.S. Pat. No.6,072,876 (Method and system for depositing private key used in RSAcryptosystem); U.S. Pat. No. 6,073,125 (Token key distribution systemcontrolled acceptance mail payment and evidencing system); U.S. Pat. No.6,073,160 (Document communications controller); U.S. Pat. No. 6,073,172(Initializing and reconfiguring a secure network interface); U.S. Pat.No. 6,073,234 (Device for authenticating user's access rights toresources and method); U.S. Pat. No. 6,073,236 (Authentication method,communication method, and information processing apparatus); U.S. Pat.No. 6,073,237 (Tamper resistant method and apparatus); U.S. Pat. No.6,073,238 (Method of securely loading commands in a smart card); U.S.Pat. No. 6,073,242 (Electronic authority server); U.S. Pat. No.6,075,864 (Method of establishing secure, digitally signedcommunications using an encryption key based on a blocking setcryptosystem); U.S. Pat. No. 6,075,865 (Cryptographic communicationprocess and apparatus); U.S. Pat. No. 6,076,078 (Anonymous certifieddelivery); U.S. Pat. No. 6,076,162 (Certification of cryptographic keysfor chipcards); U.S. Pat. No. 6,076,163 (Secure user identificationbased on constrained polynomials); U.S. Pat. No. 6,076,164(Authentication method and system using IC card); U.S. Pat. No.6,076,167 (Method and system for improving security in networkapplications); U.S. Pat. No. 6,078,663 (Communication apparatus and acommunication system); U.S. Pat. No. 6,078,665 (Electronic encryptiondevice and method); U.S. Pat. No. 6,078,667 (Generating unique andunpredictable values); U.S. Pat. No. 6,078,909 (Method and apparatus forlicensing computer programs using a DSA signature); U.S. Pat. No.6,079,018 (System and method for generating unique secure values fordigitally signing documents); U.S. Pat. No. 6,079,047 (Unwrapping systemand method for multiple files of a container); U.S. Pat. No. 6,081,597(Public key cryptosystem method and apparatus); U.S. Pat. No. 6,081,598(Cryptographic system and method with fast decryption); U.S. Pat. No.6,081,610 (System and method for verifying signatures on documents);U.S. Pat. No. 6,081,790 (System and method for secure presentment andpayment over open networks); U.S. Pat. No. 6,081,893 (System forsupporting secured log-in of multiple users into a plurality ofcomputers using combined presentation of memorized password andtransportable passport record), each of which is expressly incorporatedherein by reference.

Watermarking

U.S. Pat. No. 5,699,427 (Chow, et al., Dec. 16, 1997), expresslyincorporated herein by reference, relates to a method to deter documentand intellectual property piracy through individualization, and a systemfor identifying the authorized receiver of any particular copy of adocument. More specifically, each particular copy of a document isfingerprinted by applying a set of variations to a document, where eachvariation is a change in data contents, but does not change the meaningor perusal experience of the document. A database associating a set ofvariants to a receiver is maintained. Thus any variant or copy of thatvariant can be traced to an authorized receiver.

See also, U.S. Pat. No. 4,734,564 (Transaction system with off-line riskassessment); U.S. Pat. No. 4,812,628 (Transaction system with off-linerisk assessment); U.S. Pat. No. 4,926,325 (Apparatus for carrying outfinancial transactions via a facsimile machine); U.S. Pat. No. 5,235,166(Data verification method and magnetic media therefor); U.S. Pat. No.5,254,843 (Securing magnetically encoded data using timing variations inencoded data); U.S. Pat. No. 5,341,429 (Transformation of ephemeralmaterial); U.S. Pat. No. 5,428,683 (Method and apparatus forfingerprinting and authenticating magnetic media); U.S. Pat. No.5,430,279 (Data verification method and magnetic media therefor); U.S.Pat. No. 5,521,722 (Image handling facilitating computer aided designand manufacture of documents); U.S. Pat. No. 5,546,462 (Method andapparatus for fingerprinting and authenticating various magnetic media);U.S. Pat. No. 5,606,609 (Electronic document verification system andmethod); U.S. Pat. No. 5,613,004 (Steganographic method and device);U.S. Pat. No. 5,616,904 (Data verification method and magnetic mediatherefor); U.S. Pat. No. 5,636,292 (Steganography methods employingembedded calibration data); U.S. Pat. No. 5,646,997 (Method andapparatus for embedding authentication information within digital data);U.S. Pat. No. 5,659,726 (Data embedding); U.S. Pat. No. 5,664,018(Watermarking process resilient to collusion attacks); U.S. Pat. No.5,687,236 (Steganographic method and device); U.S. Pat. No. 5,710,834(Method and apparatus responsive to a code signal conveyed through agraphic image); U.S. Pat. No. 5,727,092 (Compression embedding); U.S.Pat. No. 5,734,752 (Digital watermarking using stochastic screenpatterns); U.S. Pat. No. 5,740,244 (Method and apparatus for improvedfingerprinting and authenticating various magnetic media); U.S. Pat. No.5,745,569 (Method for stega-cipher protection of computer code); U.S.Pat. No. 5,745,604 (Identification/authentication system using robust,distributed coding); U.S. Pat. No. 5,748,763 (Image steganography systemfeaturing perceptually adaptive and globally scalable signal embedding);U.S. Pat. No. 5,748,783 (Method and apparatus for robust informationcoding); U.S. Pat. No. 5,761,686 (Embedding encoded information in aniconic version of a text image); U.S. Pat. No. 5,765,152 (System andmethod for managing copyrighted electronic media); U.S. Pat. No.5,768,426 (Graphics processing system employing embedded code signals);U.S. Pat. No. 5,778,102 (Compression embedding); U.S. Pat. No. 5,790,703(Digital watermarking using conjugate halftone screens); U.S. Pat. No.5,819,289 (Data embedding employing degenerate clusters of data havingdifferences less than noise value); U.S. Pat. No. 5,822,432 (Method forhuman-assisted random key generation and application for digitalwatermark system); U.S. Pat. No. 5,822,436 (Photographic products andmethods employing embedded information); U.S. Pat. No. 5,832,119(Methods for controlling systems using control signals embedded inempirical data); U.S. Pat. No. 5,841,886 (Security system forphotographic identification); U.S. Pat. No. 5,841,978 (Network linkingmethod using steganographically embedded data objects); U.S. Pat. No.5,848,155 (Spread spectrum watermark for embedded signalling); U.S. Pat.No. 5,850,481 (Steganographic system); U.S. Pat. No. 5,862,260 (Methodsfor surveying dissemination of proprietary empirical data); U.S. Pat.No. 5,878,137 (Method for obtaining authenticity identification devicesfor using services in general, and device obtained thereby); U.S. Pat.No. 5,889,868 (Optimization methods for the insertion, protection, anddetection of digital watermarks in digitized data); U.S. Pat. No.5,892,900 (Systems and methods for secure transaction management andelectronic rights protection); U.S. Pat. No. 5,905,505 (Method andsystem for copy protection of on-screen display of text); U.S. Pat. No.5,905,800 (Method and system for digital watermarking); U.S. Pat. No.5,915,027 (Digital watermarking); U.S. Pat. No. 5,920,628 (Method andapparatus for fingerprinting and authenticating various magnetic media);U.S. Pat. No. 5,930,369 (Secure spread spectrum watermarking formultimedia data); U.S. Pat. No. 5,933,498 (System for controlling accessand distribution of digital property); U.S. Pat. No. 5,943,422(Steganographic techniques for securely delivering electronic digitalrights management control information over insecure communicationchannels); U.S. Pat. No. 5,946,414 (Encoding data in color images usingpatterned color modulated image regions); U.S. Pat. No. 5,949,885(Method for protecting content using watermarking); U.S. Pat. No.5,974,548 (Media-independent document security method and apparatus);U.S. Pat. No. 5,995,625 (Electronic cryptographic packing); U.S. Pat.No. 6,002,772 (Data management system); U.S. Pat. No. 6,004,276 (Openarchitecture cardiology information system); U.S. Pat. No. 6,006,328(Computer software authentication, protection, and security system);U.S. Pat. No. 6,006,332 (Rights management system for digital media);U.S. Pat. No. 6,018,801 (Method for authenticating electronic documentson a computer network); U.S. Pat. No. 6,026,193 (Video steganography);U.S. Pat. No. 6,044,464 (Method of protecting broadcast data byfingerprinting a common decryption function); U.S. Pat. No. 6,047,374(Method and apparatus for embedding authentication information withindigital data); U.S. Pat. No. 6,049,627 (Covert digital identifyingindicia for digital image); U.S. Pat. No. 6,061,451 (Apparatus andmethod for receiving and decrypting encrypted data and protectingdecrypted data from illegal use); U.S. Pat. No. 6,064,737 (Anti-piracysystem for wireless telephony); U.S. Pat. No. 6,064,764 (Fragilewatermarks for detecting tampering in images); U.S. Pat. No. 6,069,914(Watermarking of image data using MPEG/JPEG coefficients); U.S. Pat. No.6,076,077 (Data management system); U.S. Pat. No. 6,081,793 (Method andsystem for secure computer moderated voting), each of which is expresslyincorporated herein by reference.

Role-Based Access

U.S. Pat. No. 6,023,765 (Kuhn, Feb. 8, 2000; Implementation ofrole-based access control in multi-level secure systems), expresslyincorporated herein by reference, relates to a system and method forimplementation of role-based access control in multi-level securesystems. Role-based access control (RBAC) is implemented on amulti-level secure (MLS) system by establishing a relationship betweenprivileges within the RBAC system and pairs of levels and compartmentswithin the MLS system. The advantages provided by RBAC, that is,reducing the overall number of connections that must be maintained, and,for example, greatly simplifying the process required in response to achange of job status of individuals within an organization, are thenrealized without loss of the security provided by MLS. A trustedinterface function is developed to ensure that the RBAC rules permittingindividual's access to objects are followed rigorously, and provides aproper mapping of the roles to corresponding pairs of levels andcompartments. No other modifications are necessary. Access requests fromsubjects are mapped by the interface function to pairs of levels andcompartments, after which access is controlled entirely by the rules ofthe MLS system.

See also, U.S. Pat. No. 6,073,242 (Electronic authority server); U.S.Pat. No. 6,073,240 (Method and apparatus for realizing computersecurity); U.S. Pat. No. 6,064,977 (Web server with integratedscheduling and calendaring); U.S. Pat. No. 6,055,637 (System and methodfor accessing enterprise-wide resources by presenting to the resource atemporary credential); U.S. Pat. No. 6,044,466 (Flexible and dynamicderivation of permissions); U.S. Pat. No. 6,041,349 (Systemmanagement/network correspondence display method and system therefore);U.S. Pat. No. 6,014,666 (Declarative and programmatic access control ofcomponent-based server applications using roles); U.S. Pat. No.5,991,877 (Object-oriented trusted application framework); U.S. Pat. No.5,978,475 (Event auditing system); U.S. Pat. No. 5,949,866(Communications system for establishing a communication channel on thebasis of a functional role or task); U.S. Pat. No. 5,925,126 (Method forsecurity shield implementation in computer system's software); U.S. Pat.No. 5,911,143 (Method and system for advanced role-based access controlin distributed and centralized computer systems); U.S. Pat. No.5,797,128 (System and method for implementing a hierarchical policy forcomputer system administration); U.S. Pat. No. 5,761,288 (Servicecontext sensitive features and applications); U.S. Pat. No. 5,751,909(Database system with methods for controlling object interaction byestablishing database contracts between objects); U.S. Pat. No.5,748,890 (Method and system for authenticating and auditing access by auser to non-natively secured applications); U.S. Pat. No. 5,621,889(Facility for detecting intruders and suspect callers in a computerinstallation and a security system including such a facility); U.S. Pat.No. 5,535,383 (Database system with methods for controlling objectinteraction by establishing database contracts between objects); U.S.Pat. No. 5,528,516 (Apparatus and method for event correlation andproblem reporting); U.S. Pat. No. 5,481,613 (Computer networkcryptographic key distribution system); U.S. Pat. No. 5,347,578(Computer system security); U.S. Pat. No. 5,265,221 (Access restrictionfacility method and apparatus), each of which is expressly incorporatedherein by reference.

Computer System Security

U.S. Pat. No. 5,881,225 (Worth, Mar. 9, 1999), expressly incorporatedherein by reference, relates to a security monitor for controllingfunctional access to a computer system. A security monitor controlssecurity functions for a computer system. A user desiring access to thesystem inputs a user identification and password combination, and a rolethe user to assume is selected from among one or more roles defined inthe system. Upon being validated as an authorized user performing aparticular role, the user is then authorized to perform certainfunctions and tasks specifically and to see information associated withthat role (and optimally the work group the user is assigned). For someusers, no role or a “null” roll is chosen, and authorization for certainfunctions and tasks is accomplished due to that particular user havingbeen predefined by an administrator as being allowed to perform thosefunctions and tasks, usually due to the predefined privileges associatedwith the work group(s) to which the user belongs.

U.S. Pat. No. 5,937,068 (Audebert, Aug. 10, 1999), expresslyincorporated herein by reference, relates to a system and method foruser authentication employing dynamic encryption variables. The systemincludes a first card-like unit adapted to communicate with a secondunit giving only conditionally access to a function. Both units arecapable of running software for generating a password by means ofencryption of a plurality of dynamic variables produced separately butin concert (so as to have a predetermined relationship, such asidentity, with one another) in the units. The encryption is carried outin each unit by a public algorithm using a dynamically varyingencryption key. Each time an access request is issued by a card user,the key is modified as a function of the number of access requestspreviously formulated by the card user. Access to the function isgranted when the passwords generated in the units have a predeterminedrelationship (such as identity) with each other. In a “virtual token”implementation, the first unit can be a smart card, which stores thedynamic key and the variable representing the number of formulatedauthentication requests and executes an encryption algorithm, a smartcard reader and a computer such as a personal computer. Either the smartcard reader or the personal computer can generate the time dependentvariable. In a “software token” implementation, the functions of thefirst unit are performed by a personal computer, thus eliminating theneed for a smart card or a smart card reader.

U.S. Pat. No. 5,949,882 (Angelo, Sep. 7, 1999), expressly incorporatedherein by reference, relates to a method and apparatus for allowingaccess to secured computer resources by utilizing a password and anexternal encryption algorithm. A method for permitting access to securedcomputer resources based upon a two-piece user verification process isprovided. In one embodiment, the user verification process is carriedout during a secure power-up procedure. At some point during the securepower-up procedure, the computer user is required to provide an externaltoken or smart card that is coupled to the computer through specializedhardware. The token or smart card is used to store an encryptionalgorithm furnished with an encryption key that is unique or of limitedproduction. The computer user is then required to enter a plain textuser password. Once entered, the user password is encrypted using theencryption algorithm contained in the external token to create aperipheral password. The peripheral password is compared to a valuestored in either secure system memory or in memory contained within asecured resource itself. If the two values match, access to the securedresource is permitted. In an alternate embodiment, the two-pieceauthentication process is conducted during normal computer operationoutside of the secure power-on sequence. In this embodiment, the userpassword is entered by means of a secure keyboard communicationschannel. In either embodiment, the two-piece nature of the authorizationprocess requires the presence of both the user password and the externaltoken in order to generate the peripheral password.

U.S. Pat. No. 5,953,419 (Lohstroh, et al., Sep. 14, 1999), expresslyincorporated herein by reference, relates to a cryptographic filelabeling system for supporting secured access by multiple users. Asystem is disclosed for automatically distributing secured versions of afile decryption key to a plurality of file users by way of the file'ssecurity label. The label is defined to contain a plurality ofAccess-Control-Entries Records (ACER's) where each ACER includes arespective secured version of the file decryption key. Each such securedversion is decipherable by a respective ACER private key. Each ACER mayinclude respective other data such as: (a) ACER-unique identifying datafor uniquely identifying the ACER or an associated user; (b) decryptionalgorithm identifying data for identifying the decryption process to beused to decrypt the encrypted data portion of the file; and (c) specialhandling code for specifying special handling for the code-containingACER. The label is preferably covered by a digital signature butincludes an extension buffer that is not covered by the digitalsignature. Users who wish to have an ACER of their own added to thelabel may submit add-on requests by writing to the extension buffer.

U.S. Pat. No. 5,956,400 (Chaum, et al., Sep. 21, 1999), expresslyincorporated herein by reference, relates to partitioned informationstorage systems with controlled retrieval. An information storage systemincludes one or more information update terminals, a mapper, one or morepartial-databases, and one or more query terminals, exchanging messagesover a set of communication channels. An identifier-mapping mechanismprovides (to an update terminal) a method for delegating control overretrieval of the data stored at the partial-databases to one or moremappers, typically operated by one or more trusted third parties. Updateterminals supply information, which is stored in fragmented form by thepartial-databases. Data-fragment identifiers and pseudonyms areintroduced, preventing unauthorized de-fragmentation of information—thusproviding compliance to privacy legislation—while at the same timeallowing query terminals to retrieve (part of) the stored data or learnproperties of the stored data. The mapper is necessarily involved inboth operations, allowing data access policies to be enforced andpotential abuse of stored information to be reduced. Introduction ofmultiple mappers acts to distribute information retrieval control amongmultiple trusted third parties. Introducing so-called “groupers”increases the efficiency of data retrieval for a common set of queriesand further reduces potential abuse of information.

U.S. Pat. No. 5,958,050 (Griffin, et al., Sep. 28, 1999), expresslyincorporated herein by reference, relates to a trusted delegationsystem. A trust manager examines each new class before it is allowed toexecute by examining a policy file which includes data structuresdefining security policies of the user system, a certificate repositoryfor storing a plurality of certificates, a certificate being a datarecord which is digitally signed and which certifies claims relevant toa security evaluation, a code examiner adapted to analyze the portion ofcode to determine potential resource use of the portion of code and atrust evaluator adapted to evaluate certificate requirements of theportion of code based on policy rules extracted from the policy file andthe potential resource use specified by the code examiner. The trustevaluator also determines, from certificates from the certificaterepository and a code identifier identifying the portion of code,whether execution of the portion of code is allowed by the policy rulesgiven the potential resource use, the code supplier and applicablecertificates. Certificates and policies can be specified in hierarchicalform, so that some levels of security can be delegated to trustedentities.

U.S. Pat. No. 5,978,475 (Schneier, et al., Nov. 2, 1999), expresslyincorporated herein by reference, relates to an event auditing system.In many computer applications, sensitive information must be kept on anuntrusted machine. Such information must be protected against attackers,as well as against partially trusted entities to be given partial, butnot total, access to the stored information. A method, apparatus andcomputer-readable data structure are provided for inhibiting an attackerfrom accessing or corrupting information stored by an untrusted machine.More specifically, in a log file generated during a process in which theuntrusted machine is in limited communication with a trusted machine,entries generated prior to the attack remain secure (they cannot bemodified without detection), even though subsequent entries can not betrusted. One embodiment also allows a partially trusted verifier to readand verify entries in the log file, but not to change them withoutdetection. In another embodiment, operating with or without the trustedmachine, the untrusted machine's log file can also incorporate log filesof other processes.

U.S. Pat. No. 5,991,878 (McDonough, et al., Nov. 23, 1999), expresslyincorporated herein by reference, relates to a system and method forcontrolling access to information in a distributed computing system. Arequest for the information is received and is accompanied by encryptedsession state data. Based on the encrypted session state data, it isdetermined whether to pass the request on to a source of theinformation. In a memory buffer, old data is replaced by overwritingwith a unique identifier. After the memory buffer has received new dataand a procedure has been executed for copying the contents of the memorybuffer to a destination, it is determined whether the unique identifiermay be found at the destination.

U.S. Pat. No. 6,070,239 (McManis, May 30, 2000), expressly incorporatedherein by reference, relates to a system and method for executingverifiable programs with facility for using non-verifiable programs fromtrusted sources. A computer system includes a program executer thatexecutes verifiable architecture neutral programs and a class loaderthat prohibits the loading and execution of non-verifiable programsunless (A) the non-verifiable program resides in a trusted repository ofsuch programs, or (B) the non-verifiable program is indirectlyverifiable by way of a digital signature on the non-verifiable programthat proves the program was produced by a trusted source. In thepreferred embodiment, verifiable architecture neutral programs are Javabytecode programs whose integrity is verified using a Java bytecodeprogram verifier. The non-verifiable programs are generally architecturespecific compiled programs generated with the assistance of a compiler.Each architecture specific program typically includes two signatures,including one by the compiling party and one by the compiler. Eachdigital signature includes a signing party identifier and an encryptedmessage. The encrypted message includes a message generated by apredefined procedure, and is encrypted using a private encryption keyassociated with the signing party. A digital signature verifier used bythe class loader includes logic for processing each digital signature byobtaining a public key associated with the signing party, decrypting theencrypted message of the digital signature with that public key so asgenerate a decrypted message, generating a test message by executing thepredefined procedure on the architecture specific program associatedwith the digital signature, comparing the test message with thedecrypted message, and issuing a failure signal if the decrypted messagedigest and test message digest do not match.

U.S. Pat. No. 6,079,021 (Abadi, et al., Jun. 20, 2000), expresslyincorporated herein by reference, relates to a method and apparatus forstrengthening passwords for protection of computer systems. Acomputer-implemented method provides access to processes and data usingstrengthened password. During an initialization phase, an access code isstored in a memory of a computer system. The access code is anapplication of a one-way hash function to a concatenation of a passwordand a password supplement. The size of the password supplement is afixed number of bits. During operation of the system, a user enters apassword, and the one-way hash function is applied to concatenations ofthe password and possible values having the size of the passwordsupplement to yield trial access codes. Access is granted when one ofthe trial access codes is identical to the stored access code.

Computer Security Devices

U.S. Pat. No. 5,982,520 (Weiser, et al., Nov. 9, 1999), expresslyincorporated herein by reference, relates to a personal storage devicefor receipt, storage, and transfer of digital information to otherelectronic devices has a pocket sized crush resistant casing with avolume of less than about ten cubic centimeters. A processor ispositioned within the casing cavity and attached to the crush resistantcasing, while a memory module also positioned within the casing cavityis configured to store received executable applications and data. Aninfrared transceiver is mounted on the crush resistant casing and inelectronic communication with the processor and memory module to providefor receipt and storage of executable applications, and receipt,storage, and transfer of digital information to other electronicdevices. The digital information stored by the personal storage devicecan be intermittently synchronized with other electronic devices.

U.S. Pat. No. 5,991,519 (Benhammou, et al., Nov. 23, 1999), expresslyincorporated herein by reference, relates to a secure memory havingmultiple security levels. A secured memory comprises a first levelsecurity zone having an access code controlling access to the securedmemory prior to an issuer fuse being blown, a security code attemptscounter preventing access to the secured memory when a predeterminednumber of attempts at matching the access code have been made prior toresetting the security code attempts counter, a plurality of applicationzones, each of the plurality of application zones comprising: a storagememory zone, an application security zone having an application zoneaccess code controlling access to the storage memory zone after anissuer fuse has been blown, an application zone security code attemptscounter preventing access to the application zone when a predeterminednumber of attempts at matching the application zone access code havebeen made prior to resetting the application zone security code attemptscounter, an erase key partition having an erase key code controllingerase access to the storage memory zone after an issuer fuse has beenblown, and an erase key attempts counter preventing erase access to theapplication zone when a predetermined number of attempts at matching theerase key code have been made prior to resetting the erase key attemptscounter.

U.S. Pat. No. 5,999,629 (Heer, et al., Dec. 7, 1999), expresslyincorporated herein by reference, relates to a data encryption securitymodule. Encryption keys used to encrypt such messages need to be managedin a highly secure manner. A unique device encryption key is generated,a cryptographic key formed from a unique identification key and anassociated public key, and at least one program encryption key, in whichthe public key is generated as a function of the unique identificationkey. The module then encrypts the unique identification key and programencryption key using said device encryption key and stores the encryptedresult in memory internal to security module, thereby securing the keysagainst misappropriation. In addition, the module provides a mechanismfor using the program encryption key to encrypt information that itreceives from an external source and store the encrypted information inmemory external to the security module, and responsive to receiving froma requester a request for the program encryption key, encrypting theprogram encryption key, using a symmetrical encryption key generated asa function of a public key generated by a security module associatedwith the requester. The former security module then supplies theencrypted program encryption key to the requester.

U.S. Pat. No. 6,034,618 (Tatebayashi, et al., Mar. 7, 2000), expresslyincorporated herein by reference, relates to a device authenticationsystem that allows the authentication function to be changed. A decoderapparatus generates a random number for authenticating the optical discdrive apparatus and sends it to the optical disc drive apparatus as thechallenge data. The optical disc drive apparatus selects one out ofsixteen claimant functions stored in the claimant function unit andcalculates the function value, which it sends to the decoder apparatusas the response data. The decoder apparatus compares the response datawith sixteen function values to that are obtained using the sixteenverification functions stored in the verification function unit, andauthenticates the optical disc drive apparatus when at least one of thefunction values matches the response data.

U.S. Pat. No. 6,041,412 (Timson, et al., Mar. 21, 2000), expresslyincorporated herein by reference, relates to an apparatus and a methodfor providing access to a secured data or area, includes at least twosecure data modules which contain security data and other informationand which belong to a particular security scheme and a dual modulereader for reading data and permissions instructions contained on thesecure data modules. The two secure data modules include an enablingmodule and an interrogatable module. The interrogatable module and theenabling module communicate with each other via a dual module reader.Communication between the two modules is allowed as long as the twomodules are members of the same security scheme. A scheme is defined bysuitable proprietary encryption keys for enabling communication and datatransfer between the two modules belonging to a common scheme and forpreventing communication and data transfer between two modules belongingto different schemes. The communication between the two modules providesan improved data security and access control system that eliminates theneed for multiple passwords for various operations and also preventsproblems associated with conventional access cards that are used inconjunction with passwords.

U.S. Pat. No. 6,061,451 (Muratani, et al., May 9, 2000), expresslyincorporated herein by reference, relates to an apparatus and method forreceiving and decrypting encrypted data and protecting decrypted datafrom illegal use. A data receiving apparatus is formed of a set top unitconnected to a network and a security module. Digital video data,supplied from the network and scrambled according to a first system, isscrambled according to a second system in a scramble circuit in the settop unit, and is supplied to the security module. The data isdescrambled according to the first system in a descramble circuit in thesecurity module, and is transferred back to the set top unit. The datais descrambled according to the second system in a descramble circuit inthe set top unit, and is outputted to an image display terminal via anMPEG decoder.

U.S. Pat. No. 6,069,647 (Sullivan, et al., May 30, 2000), expresslyincorporated herein by reference, relates to a conditional access andcontent security method. An interface unit, connected to a programmableunit, is capable of containing a time-sensitive key. The programmableunit is allowed to receive digital content from the interface unit uponestablishing that the time-sensitive key is also contained therein.

Computer Network Firewall

U.S. Pat. No. 5,944,823 (Jade, et al., Aug. 31, 1999), expresslyincorporated herein by reference, relates to a system and method forproviding outside access to computer resources through a firewall. Afirewall isolates computer and network resources inside the firewallfrom networks, computers and computer applications outside the firewall.Typically, the inside resources could be privately owned databases andlocal area networks (LAN's), and outside objects could includeindividuals and computer applications operating through publiccommunication networks such as the Internet. Usually, a firewall allowsfor an inside user or object to originate connection to an outsideobject or network, but does not allow for connections to be generated inthe reverse direction; i.e. from outside in. The system provides aspecial “tunneling” mechanism, operating on both sides of a firewall,for establishing such “outside in” connections when they are requestedby certain “trusted” individuals or objects or applications outside thefirewall. The intent here is to minimize the resources required forestablishing “tunneled” connections (connections through the firewallthat are effectively requested from outside), while also minimizing thesecurity risk involved in permitting such connections to be made at all.The mechanism includes special tunneling applications, running oninterface servers inside and outside the firewall, and a special tableof “trusted sockets” created and maintained by the inside tunnelingapplication. Entries in the trusted sockets table define objects insidethe firewall consisting of special inside ports, a telecommunicationprotocol to be used at each port, and a host object associated with eachport. Each entry is “trusted” in the sense that it is supposedly knownonly by individuals authorized to have “tunneling” access through thefirewall from outside. These applications use the table to effectconnections through the firewall in response to outside requestsidentifying valid table entries.

U.S. Pat. No. 5,968,176 (Nessett, et al., Oct. 19, 1999), expresslyincorporated herein by reference, relates to a multilayer firewallsystem. A system provides for establishing security in a network thatincludes nodes having security functions operating in multiple protocollayers. Multiple network devices, such as remote access equipment,routers, switches, repeaters and network cards having security functionsare configured to contribute to implementation of distributed firewallfunctions in the network. By distributing firewall functionalitythroughout many layers of the network in a variety of network devices, apervasive firewall is implemented. The pervasive, multilayer firewallincludes a policy definition component that accepts policy data thatdefines how the firewall should behave. The policy definition componentcan be a centralized component, or a component that is distributed overthe network. The multilayer firewall also includes a collection ofnetwork devices that are used to enforce the defined policy. Thesecurity functions operating in this collection of network devicesacross multiple protocol layers are coordinated by the policy definitioncomponent so that particular devices enforce that part of the policypertinent to their part of the network.

U.S. Pat. No. 5,983,350 (Minear, et al., Nov. 9, 1999), expresslyincorporated herein by reference, relates to a secure firewallsupporting different levels of authentication based on address orencryption status. A system and method is provided for regulating theflow of messages through a firewall having a network protocol stack,wherein the network protocol stack includes an Internet Protocol (IP)layer, the method comprising establishing a security policy,determining, at the IP layer, if a message is encrypted, if the messageis not encrypted, passing the unencrypted message up the networkprotocol stack to an application level proxy, and if the message isencrypted, decrypting the message and passing the decrypted message upthe network protocol stack to the application level proxy, whereindecrypting the message includes executing a process at the IP layer todecrypt the message.

U.S. Pat. No. 6,009,475 (Shrader, Dec. 28, 1999), expressly incorporatedherein by reference, relates to a system and method for filter rulevalidation and administration for firewalls. Filter rules on a firewallbetween a secure computer network and a nonsecure computer network arevalidated from a user interface. A user interface is presented in whicha test packet can be defined. The user interface includes controls fordefining values for attributes of the test packet, wherein theattributes of the test packet are selected from a set of attributes ofnormal packets normally sent between the secure and nonsecure computernetworks. A defined test packet is validated against a set of filterrules in the firewall or matched against the filter rules to determinethose filter rules with matching attributes to the defined packet. Whenvalidating, responsive to the failure of the test packet in thevalidating step, the filter rule in the set of filter rules that deniedthe test packet is displayed.

U.S. Pat. No. 6,052,788 (Wesinger, Jr., et al., Apr. 18, 2000),expressly incorporated herein by reference, relates to a firewall,providing enhanced network security and user transparency, for improvednetwork security and maximum user convenience. The firewall employs“envoys” that exhibit the security robustness of prior-art proxies andthe transparency and ease-of-use of prior-art packet filters, combiningthe best of both worlds. No traffic can pass through the firewall unlessthe firewall has established an envoy for that traffic. Bothconnection-oriented (e.g., TCP) and connectionless (e.g., UDP-based)services may be handled using envoys. Establishment of an envoy may besubjected to a myriad of tests to “qualify” the user, the requestedcommunication, or both. Therefore, a high level of security may beachieved. The usual added burden of prior-art proxy systems is avoidedin such a way as to achieve full transparency—the user can use standardapplications and need not even know of the existence of the firewall. Toachieve full transparency, the firewall is configured as two or moresets of virtual hosts. The firewall is, therefore, “multi-homed,” eachhome being independently configurable. One set of hosts responds toaddresses on a first network interface of the firewall. Another set ofhosts responds to addresses on a second network interface of thefirewall. In one aspect, programmable transparency is achieved byestablishing DNS mappings between remote hosts to be accessed throughone of the network interfaces and respective virtual hosts on thatinterface. In another aspect, automatic transparency may be achievedusing code for dynamically mapping remote hosts to virtual hosts inaccordance with a technique referred to herein as dynamic DNS, or DDNS.

U.S. Pat. No. 6,061,797 (Jade, et al., May 9, 2000), expresslyincorporated herein by reference, relates to a system and method forproviding outside access to computer resources through a firewall. Afirewall isolates computer and network resources inside the firewallfrom networks, computers and computer applications outside the firewall.Typically, the inside resources could be privately owned databases andlocal area networks (LAN's), and outside objects could includeindividuals and computer applications operating through publiccommunication networks such as the Internet. Usually, a firewall allowsfor an inside user or object to originate connection to an outsideobject or network, but does not allow for connections to be generated inthe reverse direction; i.e. from outside in. The system provides aspecial “tunneling” mechanism, operating on both sides of a firewall,for establishing such “outside in” connections when they are requestedby certain “trusted” individuals or objects or applications outside thefirewall. The intent here is to minimize the resources required forestablishing “tunneled” connections (connections through the firewallthat are effectively requested from outside), while also minimizing thesecurity risk involved in permitting such connections to be made at all.The mechanism includes special tunneling applications, running oninterface servers inside and outside the firewall, and a special tableof “trusted sockets” created and maintained by the inside tunnelingapplication. Entries in the trusted sockets table define objects insidethe firewall consisting of special inside ports, a telecommunicationprotocol to be used at each port, and a host object associated with eachport. Each entry is “trusted” in the sense that it is supposedly knownonly by individuals authorized to have “tunneling” access through thefirewall from outside.

U.S. Pat. No. 6,061,798 (Coley, et al., May 9, 2000), expresslyincorporated herein by reference, relates to a firewall system forprotecting network elements connected to a public network. The firewalloperates on a stand-alone computer connected between the public networkand the network elements to be protected such that all access to theprotected network elements must go through the firewall. The firewallapplication running on the stand-alone computer is preferably the onlyapplication running on that machine. The application includes a varietyof proxy agents that are specifically assigned to an incoming request inaccordance with the service protocol (i.e., port number) indicated inthe incoming access request. An assigned proxy agent verifies theauthority of an incoming request to access a network element indicatedin the request. Once verified, the proxy agent completes the connectionto the protected network element on behalf of the source of the incomingrequest.

See also, U.S. Pat. No. 6,075,860 (Apparatus and method forauthentication and encryption of a remote terminal over a wirelesslink); U.S. Pat. No. 6,061,798 (Firewall system for protecting networkelements connected to a public network); U.S. Pat. No. 6,061,797(Outside access to computer resources through a firewall); U.S. Pat. No.6,052,788 (Firewall providing enhanced network security and usertransparency); U.S. Pat. No. 6,047,322 (Method and apparatus for qualityof service management); U.S. Pat. No. 6,041,355 (Method for transferringdata between a network of computers dynamically based on taginformation); U.S. Pat. No. 6,012,088 (Automatic configuration forinternet access device); U.S. Pat. No. 6,003,084 (Secure network proxyfor connecting entities); U.S. Pat. No. 5,999,973 (Use of web technologyfor subscriber management activities); U.S. Pat. No. 5,991,731 (Methodand system for interactive prescription and distribution ofprescriptions in conducting clinical studies); U.S. Pat. No. 5,983,350(Secure firewall supporting different levels of authentication based onaddress or encryption status); U.S. Pat. No. 5,968,176 (Multilayerfirewall system); U.S. Pat. No. 5,960,177 (System for performing remoteoperation between firewall-equipped networks or devices); U.S. Pat. No.5,958,016 (Internet-web link for access to intelligent network servicecontrol); U.S. Pat. No. 5,950,195 (Generalized security policymanagement system and method); U.S. Pat. No. 5,944,823 (Outside accessto computer resources through a firewall); U.S. Pat. No. 5,928,333(Electronic mail management system for operation on a host computersystem); U.S. Pat. No. 5,918,227 (On-line directory service with aplurality of databases and processors); U.S. Pat. No. 5,915,087(Transparent security proxy for unreliable message exchange protocols);U.S. Pat. No. 5,915,008 (System and method for changing advancedintelligent network services from customer premises equipment); U.S.Pat. No. 5,909,493 (Method and system for diagnosis and control ofmachines using connectionless modes of communication); U.S. Pat. No.5,898,830 (Firewall providing enhanced network security and usertransparency); U.S. Pat. No. 5,870,744 (Virtual people networking); U.S.Pat. No. 5,845,267 (System and method for billing for transactionsconducted over the internet from within an intranet); U.S. Pat. No.5,835,726 (System for securing the flow of and selectively modifyingpackets in a computer network); U.S. Pat. No. 5,826,029 (Secured gatewayinterface); U.S. Pat. No. 5,826,014 (Firewall system for protectingnetwork elements connected to a public network); U.S. Pat. No. 5,812,398(Method and system for escrowed backup of hotelled world wide websites); U.S. Pat. No. 5,805,803 (Secure web tunnel); U.S. Pat. No.5,784,463 (Token distribution, registration, and dynamic configurationof user entitlement for an application level security system andmethod); U.S. Pat. No. 5,632,011 (Electronic mail management system foroperation on a host computer system); U.S. Pat. No. 5,623,601 (Apparatusand method for providing a secure gateway for communication and dataexchanges between networks), each of which is expressly incorporatedherein by reference.

Virtual Private Network

U.S. Pat. No. 6,079,020 (Liu, Jun. 20, 2000), expressly incorporatedherein by reference, relates to a method and an apparatus for managing avirtual private network operating over a public data network. Thispublic data network has been augmented to include a plurality of virtualprivate network gateways so that communications across the virtualprivate network are channeled through the virtual private networkgateways. One embodiment includes a system that operates by receiving acommand specifying an operation on the virtual private network. Thesystem determines which virtual private network gateways are affected bythe command. The system then automatically translates the command intoconfiguration parameters for virtual private network gateways affectedby the command. These configuration parameters specify how the virtualprivate network gateways handle communications between specific groupsof addresses on the public data network. The system then transmits theconfiguration parameters to the virtual private network gatewaysaffected by the command, so that the virtual private network gatewaysare configured to implement the command.

See also, U.S. Pat. No. 6,081,900 (Secure intranet access); U.S. Pat.No. 6,081,533 (Method and apparatus for an application interface modulein a subscriber terminal unit); U.S. Pat. No. 6,079,020 (Method andapparatus for managing a virtual private network); U.S. Pat. No.6,078,946 (System and method for management of connection orientednetworks); U.S. Pat. No. 6,078,586 (ATM virtual private networks); U.S.Pat. No. 6,075,854 (Fully flexible routing service for an advancedintelligent network); U.S. Pat. No. 6,075,852 (Telecommunications systemand method for processing call-independent signalling transactions);U.S. Pat. No. 6,073,172 (Initializing and reconfiguring a secure networkinterface); U.S. Pat. No. 6,061,796 (Multi-access virtual privatenetwork); U.S. Pat. No. 6,061,729 (Method and system for communicatingservice information in an advanced intelligent network); U.S. Pat. No.6,058,303 (System and method for subscriber activity supervision); U.S.Pat. No. 6,055,575 (Virtual private network system and method); U.S.Pat. No. 6,052,788 (Firewall providing enhanced network security anduser transparency); U.S. Pat. No. 6,047,325 (Network device forsupporting construction of virtual local area networks on arbitrarylocal and wide area computer networks); U.S. Pat. No. 6,032,118 (Virtualprivate network service provider for asynchronous transfer modenetwork); U.S. Pat. No. 6,029,067 (Virtual private network for mobilesubscribers); U.S. Pat. No. 6,016,318 (Virtual private network systemover public mobile data network and virtual LAN); U.S. Pat. No.6,009,430 (Method and system for provisioning databases in an advancedintelligent network); U.S. Pat. No. 6,005,859 (Proxy VAT-PSTNorigination); U.S. Pat. No. 6,002,767 (System, method and article ofmanufacture for a modular gateway server architecture); U.S. Pat. No.6,002,756 (Method and system for implementing intelligenttelecommunication services utilizing self-sustaining, fault-tolerantobject oriented architecture), each of which is expressly incorporatedherein by reference.

Biometric Authentication

U.S. Pat. No. 5,193,855 (Shamos, Mar. 16, 1993, Patient and healthcareprovider identification system), expressly incorporated herein byreference, relates to a patient and healthcare provider identificationsystem which includes a database of patient and healthcare providerinformation including the identity of each patient and provider and someidentification criteria (such as fingerprint data); a print scanner forreading the print information from a patient or provider; a controlsystem for matching the print data read by the scanner with the printdata stored in memory; and a printer for printing labels or generatingstamps or other visually perceptible medium for positively identifyingthe patient or provider and creating a record of the identification.

U.S. Pat. No. 6,035,406 (Moussa, et al., Mar. 7, 2000), expresslyincorporated herein by reference, relates to a plurality-factor securitysystem. The method and system provide for simultaneously authenticatinga user using two or more factors, such as both a password and a physicaltoken or both a password and biometric information. The user presents aphysical token including a storage device to a processor and attempts tolog in using a first password; the processor includes a login servicewhich receives the first password, accesses the storage device totransform the first password into a second password, and authenticatesthe second password using an operating system for the processor. Thestorage device includes encrypted information regarding the secondpassword which can be relatively easily determined in response to thefirst password, but which cannot be relatively easily determined withoutthe first password. The system or the storage device may also storeinformation for biometric authentication of the user.

U.S. Pat. No. 6,052,468 (Hillhouse, Apr. 18, 2000), expresslyincorporated herein by reference, relates to a method is disclosed forimproving portability of secure encryption key data files. The methodprovides for re-securing key data files according to different securityprocesses for mobility. For porting an encryption key secured using afingerprint authentication process to a system having only a passwordauthentication process, a user selects password authentication process,provides a fingerprint and is authorized, provides a new password andthen the encryption key is accessed according to the fingerprintauthentication process and secured according to the passwordauthentication process. This allows the use of specialized securityhardware at one location while retaining an ability to transportencryption keys in a secure fashion to other locations, which do nothave similar security hardware. U.S. Pat. No. 6,052,468 thereforeprovides a system and method for increasing portability of secure accesscodes, by providing a system comprising a cryptographic key encryptedand stored in a key data file and a secured key for decrypting thecryptographic key wherein the secured key is stored in a securedfashion, a method of securing the secured key comprising the steps of a)accessing stored data associated with the secured key, the dataindicative of an access method from a plurality of access methods foraccessing the secured key; b) executing the indicated access method toaccess the secured key; c) selecting a method from the plurality ofmethods for securing the accessed secured key; d) securing the accessedsecured key according to the selected access method; and, e) storingdata associated with the secured key, the data indicative of theselected access method. The key may be secured by providing userauthentication information; deriving from the user authenticationinformation a second cryptographic key; encrypting the accessed securedkey using the second cryptographic key; and the secured key is accessedby the steps of: providing user authentication information; derivingfrom the user authentication information a third cryptographic key; and,decrypting the secured key using the third cryptographic key. A methodof accessing a secured cryptographic key is provided comprising thesteps of: a) accessing data associated with the secured cryptographickey to determine an authorization method necessary to access the securedcryptographic key; b) providing user authorization information; and c)executing the determined authorization method to access the securedcryptographic key based on the user authorization information provided.A further method is provided for securing portable key data includingencryption key information comprising the steps of: a) selecting a firstauthorization process from a plurality of authorization processes forsecuring the portable key data; b) authenticating access to the securedportable key data according to a different authorization process,removing the security from the portable key data; and c) implementingsecurity of the portable key data according to the first authorizationprocess.

U.S. Pat. No. 6,076,167 (Borza, Jun. 13, 2000), expressly incorporatedherein by reference, relates to a method of enhancing network securityfor a communication session initiated between a first computer and asecond other computer. From the first computer to the second computer incommunications therewith a process for securing communicationstherebetween is transmitted. One such process is a biometriccharacterization process for characterizing fingerprints. The process isfor execution on the second computer and is selected to be compatibletherewith. Communications from the second computer to the first computerare secured using the transmitted process on the second computer andusing, on the first computer, a compatible process to the transmittedprocess. The host computer can modify or replace the process or dataparticular to the process before each session, during a session, or atintervals.

See also, U.S. Pat. No. 6,081,900 (Secure intranet access); U.S. Pat.No. 6,081,750 (Ergonomic man-machine interface incorporating adaptivepattern recognition based control system); U.S. Pat. No. 6,081,199(Locking device for systems access to which is time-restricted); U.S.Pat. No. 6,079,621 (Secure card for E-commerce and identification); U.S.Pat. No. 6,078,265 (Fingerprint identification security system); U.S.Pat. No. 6,076,167 (Method and system for improving security in networkapplications); U.S. Pat. No. 6,075,455 (Biometric time and attendancesystem with epidermal topographical updating capability); U.S. Pat. No.6,072,894 (Biometric face recognition for applicant screening); U.S.Pat. No. 6,070,141 (System and method of assessing the quality of anidentification transaction using an identification quality score); U.S.Pat. No. 6,068,184 (Security card and system for use thereof); U.S. Pat.No. 6,064,751 (Document and signature data capture system and method);U.S. Pat. No. 6,056,197 (Information recording method for preventingalteration, information recording apparatus, and information recordingmedium); U.S. Pat. No. 6,052,468 (Method of securing a cryptographickey); U.S. Pat. No. 6,045,039 (Cardless automated teller transactions);U.S. Pat. No. 6,044,349 (Secure and convenient information storage andretrieval method and apparatus); U.S. Pat. No. 6,044,155 (Method andsystem for securely archiving core data secrets); U.S. Pat. No.6,041,410 (Personal identification fob); U.S. Pat. No. 6,040,783 (Systemand method for remote, wireless positive identity verification); U.S.Pat. No. 6,038,666 (Remote identity verification technique using apersonal identification device); U.S. Pat. No. 6,038,337 (Method andapparatus for object recognition); U.S. Pat. No. 6,038,315 (Method andsystem for normalizing biometric variations to authenticate users from apublic database and that ensures individual biometric data privacy);U.S. Pat. No. 6,037,870 (Detector system for access control, and adetector assembly for implementing such a system); U.S. Pat. No.6,035,406 (Plurality-factor security system); U.S. Pat. No. 6,035,402(Virtual certificate authority); U.S. Pat. No. 6,035,398 (Cryptographickey generation using biometric data); U.S. Pat. No. 6,031,910 (Methodand system for the secure transmission and storage of protectableinformation); U.S. Pat. No. 6,026,166 (Digitally certifying a useridentity and a computer system in combination); U.S. Pat. No. 6,018,739(Biometric personnel identification system); U.S. Pat. No. 6,016,476(Portable information and transaction processing system and methodutilizing biometric authorization and digital certificate security);U.S. Pat. No. 6,012,049 (System for performing financial transactionsusing a smartcard); U.S. Pat. No. 6,012,039 (Tokenless biometricelectronic rewards system); U.S. Pat. No. 6,011,858 (Memory card havinga biometric template stored thereon and system for using same); U.S.Pat. No. 6,009,177 (Enhanced cryptographic system and method with keyescrow feature); U.S. Pat. No. 6,006,328 (Computer softwareauthentication, protection, and security system); U.S. Pat. No.6,003,135 (Modular security device); U.S. Pat. No. 6,002,770 (Method forsecure data transmission between remote stations); U.S. Pat. No.5,999,637 (Individual identification apparatus for selectively recordinga reference pattern based on a correlation with comparative patterns);U.S. Pat. No. 5,999,095 (Electronic security system); U.S. Pat. No.5,995,630 (Biometric input with encryption); U.S. Pat. No. 5,991,431(Mouse adapted to scan biometric data); U.S. Pat. No. 5,991,429 (Facialrecognition system for security access and identification); U.S. Pat.No. 5,991,408 (Identification and security using biometricmeasurements); U.S. Pat. No. 5,987,155 (Biometric input device withperipheral port); U.S. Pat. No. 5,987,153 (Automated verification andprevention of spoofing for biometric data); U.S. Pat. No. 5,986,746(Topographical object detection system); U.S. Pat. No. 5,984,366(Unalterable self-verifying articles); U.S. Pat. No. 5,982,894 (Systemincluding separable protected components and associated methods); U.S.Pat. No. 5,979,773 (Dual smart card access control electronic datastorage and retrieval system and methods); U.S. Pat. No. 5,978,494(Method of selecting the best enroll image for personal identification);U.S. Pat. No. 5,974,146 (Real time bank-centric universal paymentsystem); U.S. Pat. No. 5,970,143 (Remote-auditing of computer generatedoutcomes, authenticated billing and access control, and softwaremetering system using cryptographic and other protocols); U.S. Pat. No.5,966,446 (Time-bracketing infrastructure implementation); U.S. Pat. No.5,963,908 (Secure logon to notebook or desktop computers); U.S. Pat. No.5,963,657 (Economical skin-pattern-acquisition and analysis apparatusfor access control; systems controlled thereby); U.S. Pat. No. 5,954,583(Secure access control system); U.S. Pat. No. 5,952,641 (Security devicefor controlling the access to a personal computer or to a computerterminal); U.S. Pat. No. 5,951,055 (Security document containing encodeddata block); U.S. Pat. No. 5,949,881 (Apparatus and method forcryptographic companion imprinting); U.S. Pat. No. 5,949,879 (Auditablesecurity system for the generation of cryptographically protecteddigital data); U.S. Pat. No. 5,949,046 (Apparatus for issuing integratedcircuit cards); U.S. Pat. No. 5,943,423 (Smart token system for secureelectronic transactions and identification); U.S. Pat. No. 5,935,071(Ultrasonic biometric imaging and identity verification system); U.S.Pat. No. 5,933,515 (User identification through sequential input offingerprints); U.S. Pat. No. 5,933,498 (System for controlling accessand distribution of digital property); U.S. Pat. No. 5,930,804(Web-based biometric authentication system and method); U.S. Pat. No.5,923,763 (Method and apparatus for secure document timestamping); U.S.Pat. No. 5,920,477 (Human factored interface incorporating adaptivepattern recognition based controller apparatus); U.S. Pat. No. 5,920,384(Optical imaging device); U.S. Pat. No. 5,920,058 (Holographic labelingand reading machine for authentication and security applications); U.S.Pat. No. 5,915,973 (System for administration of remotely-proctored,secure examinations and methods therefor); U.S. Pat. No. 5,913,196(System and method for establishing identity of a speaker); U.S. Pat.No. 5,913,025 (Method and apparatus for proxy authentication); U.S. Pat.No. 5,912,974 (Apparatus and method for authentication of printeddocuments); U.S. Pat. No. 5,912,818 (System for tracking and dispensingmedical items); U.S. Pat. No. 5,910,988 (Remote image capture withcentralized processing and storage); U.S. Pat. No. 5,907,149(Identification card with delimited usage); U.S. Pat. No. 5,901,246(Ergonomic man-machine interface incorporating adaptive patternrecognition based control system); U.S. Pat. No. 5,898,154 (System andmethod for updating security information in a time-based electronicmonetary system); U.S. Pat. No. 5,897,616 (Apparatus and methods forspeaker verification/identification/classification employingnon-acoustic and/or acoustic models and databases); U.S. Pat. No.5,892,902 (Intelligent token protected system with networkauthentication); U.S. Pat. No. 5,892,838 (Biometric recognition using aclassification neural network); U.S. Pat. No. 5,892,824 (Signaturecapture/verification systems and methods); U.S. Pat. No. 5,890,152(Personal feedback browser for obtaining media files); U.S. Pat. No.5,889,474 (Method and apparatus for transmitting subject statusinformation over a wireless communications network); U.S. Pat. No.5,881,226 (Computer security system); U.S. Pat. No. 5,878,144 (Digitalcertificates containing multimedia data extensions); U.S. Pat. No.5,876,926 (Method, apparatus and system for verification of humanmedical data); U.S. Pat. No. 5,875,108 (Ergonomic man-machine interfaceincorporating adaptive pattern recognition based control system); U.S.Pat. No. 5,872,849 (Enhanced cryptographic system and method with keyescrow feature); U.S. Pat. No. 5,872,848 (Method and apparatus forwitnessed authentication of electronic documents); U.S. Pat. No.5,872,834 (Telephone with biometric sensing device); U.S. Pat. No.5,870,723 (Tokenless biometric transaction authorization method andsystem); U.S. Pat. No. 5,869,822 (Automated fingerprint identificationsystem); U.S. Pat. No. 5,867,802 (Biometrically secured control systemfor preventing the unauthorized use of a vehicle); U.S. Pat. No.5,867,795 (Portable electronic device with transceiver and visual imagedisplay); U.S. Pat. No. 5,867,578 (Adaptive multi-step digital signaturesystem and method of operation thereof); U.S. Pat. No. 5,862,260(Methods for surveying dissemination of proprietary empirical data);U.S. Pat. No. 5,862,246 (Knuckle profile identity verification system);U.S. Pat. No. 5,862,223 (Method and apparatus for acryptographically-assisted commercial network system designed tofacilitate and support expert-based commerce); U.S. Pat. No. 5,857,022(Enhanced cryptographic system and method with key escrow feature); U.S.Pat. No. 5,850,451 (Enhanced cryptographic system and method with keyescrow feature); U.S. Pat. No. 5,850,442 (Secure world wide electroniccommerce over an open network); U.S. Pat. No. 5,848,231 (Systemconfiguration contingent upon secure input); U.S. Pat. No. 5,844,244(Portable identification carrier); U.S. Pat. No. 5,841,907 (Spatialintegrating optical correlator for verifying the authenticity of aperson, product or thing); U.S. Pat. No. 5,841,886 (Security system forphotographic identification); U.S. Pat. No. 5,841,865 (Enhancedcryptographic system and method with key escrow feature); U.S. Pat. No.5,841,122 (Security structure with electronic smart card access theretowith transmission of power and data between the smart card and the smartcard reader performed capacitively or inductively); U.S. Pat. No.5,838,812 (Tokenless biometric transaction authorization system); U.S.Pat. No. 5,832,464 (System and method for efficiently processingpayments via check and electronic funds transfer); U.S. Pat. No.5,832,119 (Methods for controlling systems using control signalsembedded in empirical data); U.S. Pat. No. 5,828,751 (Method andapparatus for secure measurement certification); U.S. Pat. No. 5,825,880(Multi-step digital signature method and system); U.S. Pat. No.5,825,871 (Information storage device for storing personalidentification information); U.S. Pat. No. 5,815,577 (Methods andapparatus for securely encrypting data in conjunction with a personalcomputer); U.S. Pat. No. 5,815,252 (Biometric identification process andsystem utilizing multiple parameters scans for reduction of falsenegatives); U.S. Pat. No. 5,805,719 (Tokenless identification ofindividuals); U.S. Pat. No. 5,802,199 (Use sensitive identificationsystem); U.S. Pat. No. 5,799,088 (Non-deterministic public keyencryption system); U.S. Pat. No. 5,799,086 (Enhanced cryptographicsystem and method with key escrow feature); U.S. Pat. No. 5,799,083(Event verification system); U.S. Pat. No. 5,790,674 (System and methodof providing system integrity and positive audit capabilities to apositive identification system); U.S. Pat. No. 5,790,668 (Method andapparatus for securely handling data in a database of biometrics andassociated data); U.S. Pat. No. 5,789,733 (Smart card with contactlessoptical interface); U.S. Pat. No. 5,787,187 (Systems and methods forbiometric identification using the acoustic properties of the earcanal); U.S. Pat. No. 5,784,566 (System and method for negotiatingsecurity services and algorithms for communication across a computernetwork); U.S. Pat. No. 5,784,461 (Security system for controllingaccess to images and image related services); U.S. Pat. No. 5,774,551(Pluggable account management interface with unified login and logoutand multiple user authentication services); U.S. Pat. No. 5,771,071(Apparatus for coupling multiple data sources onto a printed document);U.S. Pat. No. 5,770,849 (Smart card device with pager and visual imagedisplay); U.S. Pat. No. 5,768,382 (Remote-auditing of computer generatedoutcomes and authenticated billing and access control system usingcryptographic and other protocols); U.S. Pat. No. 5,767,496 (Apparatusfor processing symbol-encoded credit card information); U.S. Pat. No.5,764,789 (Tokenless biometric ATM access system); U.S. Pat. No.5,763,862 (Dual card smart card reader); U.S. Pat. No. 5,761,298(Communications headset with universally adaptable receiver and voicetransmitter); U.S. Pat. No. 5,757,916 (Method and apparatus forauthenticating the location of remote users of networked computingsystems); U.S. Pat. No. 5,757,431 (Apparatus for coupling multiple datasources onto a printed document); U.S. Pat. No. 5,751,836 (Automated,non-invasive iris recognition system and method); U.S. Pat. No.5,751,809 (Apparatus and method for securing captured data transmittedbetween two sources); U.S. Pat. No. 5,748,738 (System and method forelectronic transmission, storage and retrieval of authenticateddocuments); U.S. Pat. No. 5,745,573 (System and method for controllingaccess to a user secret); U.S. Pat. No. 5,745,555 (System and methodusing personal identification numbers and associated prompts forcontrolling unauthorized use of a security device and unauthorizedaccess to a resource); U.S. Pat. No. 5,742,685 (Method for verifying anidentification card and recording verification of same); U.S. Pat. No.5,742,683 (System and method for managing multiple users with differentprivileges in an open metering system); U.S. Pat. No. 5,737,420 (Methodfor secure data transmission between remote stations); U.S. Pat. No.5,734,154 (Smart card with integrated reader and visual image display);U.S. Pat. No. 5,719,950 (Biometric, personal authentication system);U.S. Pat. No. 5,712,914 (Digital certificates containing multimedia dataextensions); U.S. Pat. No. 5,712,912 (Method and apparatus for securelyhandling a personal identification number or cryptographic key usingbiometric techniques); U.S. Pat. No. 5,706,427 (Authentication methodfor networks); U.S. Pat. No. 5,703,562 (Method for transferring datafrom an unsecured computer to a secured computer); U.S. Pat. No.5,696,827 (Secure cryptographic methods for electronic transfer ofinformation); U.S. Pat. No. 5,682,142 (Electronic controlsystem/network); U.S. Pat. No. 5,682,032 (Capacitively coupled identityverification and escort memory apparatus); U.S. Pat. No. 5,680,460(Biometric controlled key generation); U.S. Pat. No. 5,668,878 (Securecryptographic methods for electronic transfer of information); U.S. Pat.No. 5,666,400 (Intelligent recognition); U.S. Pat. No. 5,659,616 (Methodfor securely using digital signatures in a commercial cryptographicsystem); U.S. Pat. No. 5,647,364 (Ultrasonic biometric imaging andidentity verification system); U.S. Pat. No. 5,647,017 (Method andsystem for the verification of handwritten signatures); U.S. Pat. No.5,646,839 (Telephone-based personnel tracking system); U.S. Pat. No.5,636,282 (Method for dial-in access security using a multimedia modem);U.S. Pat. No. 5,633,932 (Apparatus and method for preventing disclosurethrough user-authentication at a printing node); U.S. Pat. No. 5,615,277(Tokenless security system for authorizing access to a secured computersystem); U.S. Pat. No. 5,613,012 (Tokenless identification system forauthorization of electronic transactions and electronic transmissions);U.S. Pat. No. 5,608,387 (Personal identification devices and accesscontrol systems); U.S. Pat. No. 5,594,806 (Knuckle profile identityverification system); U.S. Pat. No. 5,592,408 (Identification card andaccess control device); U.S. Pat. No. 5,588,059 (Computer system andmethod for secure remote communication sessions); U.S. Pat. No.5,586,171 (Selection of a voice recognition data base responsive tovideo data); U.S. Pat. No. 5,583,950 (Method and apparatus for flashcorrelation); U.S. Pat. No. 5,583,933 (Method and apparatus for thesecure communication of data); U.S. Pat. No. 5,578,808 (Data card thatcan be used for transactions involving separate card issuers); U.S. Pat.No. 5,572,596 (Automated, non-invasive iris recognition system andmethod); U.S. Pat. No. 5,561,718 (Classifying faces); U.S. Pat. No.5,559,885 (Two stage read-write method for transaction cards); U.S. Pat.No. 5,557,765 (System and method for data recovery); U.S. Pat. No.5,553,155 (Low cost method employing time slots for thwarting fraud inthe periodic issuance of food stamps, unemployment benefits or othergovernmental human services); U.S. Pat. No. 5,544,255 (Method and systemfor the capture, storage, transport and authentication of handwrittensignatures); U.S. Pat. No. 5,534,855 (Method and system for certificatebased alias detection); U.S. Pat. No. 5,533,123 (Programmabledistributed personal security); U.S. Pat. No. 5,526,428 (Access controlapparatus and method); U.S. Pat. No. 5,523,739 (Metal detector forcontrol of access combined in an integrated form with a transponderdetector); U.S. Pat. No. 5,497,430 (Method and apparatus for imagerecognition using invariant feature signals); U.S. Pat. No. 5,485,519(Enhanced security for a secure token code); U.S. Pat. No. 5,485,312(Optical pattern recognition system and method for verifying theauthenticity of a person, product or thing); U.S. Pat. No. 5,483,601(Apparatus and method for biometric identification using silhouette anddisplacement images of a portion of a person's hand); U.S. Pat. No.5,478,993 (Process as safety concept against unauthorized use of apayment instrument in cashless payment at payment sites); U.S. Pat. No.5,475,839 (Method and structure for securing access to a computersystem); U.S. Pat. No. 5,469,506 (Apparatus for verifying anidentification card and identifying a person by means of a biometriccharacteristic); U.S. Pat. No. 5,457,747 (Anti-fraud verification systemusing a data card); U.S. Pat. No. 5,455,407 (Electronic-monetarysystem); U.S. Pat. No. 5,453,601 (Electronic-monetary system); U.S. Pat.No. 5,448,045 (System for protecting computers via intelligent tokens orsmart cards); U.S. Pat. No. 5,432,864 (Identification card verificationsystem); U.S. Pat. No. 5,414,755 (System and method for passive voiceverification in a telephone network); U.S. Pat. No. 5,412,727(Anti-fraud voter registration and voting system using a data card);U.S. Pat. No. 5,363,453 (Non-minutiae automatic fingerprintidentification system and methods); U.S. Pat. No. 5,347,580(Authentication method and system with a smartcard); U.S. Pat. No.5,345,549 (Multimedia based security systems); U.S. Pat. No. 5,341,428(Multiple cross-check document verification system); U.S. Pat. No.5,335,288 (Apparatus and method for biometric identification); U.S. Pat.No. 5,291,560 (Biometric personal identification system based on irisanalysis); U.S. Pat. No. 5,283,431 (Optical key security access system);U.S. Pat. No. 5,280,527 (Biometric token for authorizing access to ahost system); U.S. Pat. No. 5,272,754 (Secure computer interface); U.S.Pat. No. 5,245,329 (Access control system with mechanical keys whichstore data); U.S. Pat. No. 5,229,764 (Continuous biometricauthentication matrix); U.S. Pat. No. 5,228,094 (Process of identifyingand authenticating data characterizing an individual); U.S. Pat. No.5,224,173 (Method of reducing fraud in connection with employment,public license applications, social security, food stamps, welfare orother government benefits); U.S. Pat. No. 5,208,858 (Method forallocating useful data to a specific originator); U.S. Pat. No.5,204,670 (Adaptable electric monitoring and identification system);U.S. Pat. No. 5,191,611 (Method and apparatus for protecting material onstorage media and for transferring material on storage media to variousrecipients); U.S. Pat. No. 5,163,094 (Method for identifying individualsfrom analysis of elemental shapes derived from biosensor data); U.S.Pat. No. 5,155,680 (Billing system for computing software); U.S. Pat.No. 5,131,038 (Portable authentification system); U.S. Pat. No.5,073,950 (Finger profile identification system); U.S. Pat. No.5,067,162 (Method and apparatus for verifying identity using imagecorrelation); U.S. Pat. No. 5,065,429 (Method and apparatus forprotecting material on storage media); U.S. Pat. No. 5,056,147(Recognition procedure and an apparatus for carrying out the recognitionprocedure); U.S. Pat. No. 5,056,141 (Method and apparatus for theidentification of personnel); U.S. Pat. No. 5,036,461 (Two-wayauthentication system between user's smart card and issuer-specificplug-in application modules in multi-issued transaction device); U.S.Pat. No. 5,020,105 (Field initialized authentication system forprotective security of electronic information networks); U.S. Pat. No.4,993,068 (Unforgettable personal identification system); U.S. Pat. No.4,972,476 (Counterfeit proof ID card having a scrambled facial image);U.S. Pat. No. 4,961,142 (Multi-issuer transaction device with individualidentification verification plug-in application modules for eachissuer); U.S. Pat. No. 4,952,928 (Adaptable electronic monitoring andidentification system); U.S. Pat. No. 4,941,173 (Device and method torender secure the transfer of data between a videotex terminal and aserver); U.S. Pat. No. 4,926,480 (Card-computer moderated systems); U.S.Pat. No. 4,896,363 (Apparatus and method for matching imagecharacteristics such as fingerprint minutiae); U.S. Pat. No. 4,890,323(Data communication systems and methods); U.S. Pat. No. 4,868,376(Intelligent portable interactive personal data system); U.S. Pat. No.4,827,518 (Speaker verification system using integrated circuit cards);U.S. Pat. No. 4,819,267 (Solid state key for controlling access tocomputer systems and to computer software and/or for securecommunications); U.S. Pat. No. 4,752,676 (Reliable secure, updatable“cash” card system); U.S. Pat. No. 4,736,203 (3D hand profileidentification apparatus); U.S. Pat. No. 4,731,841 (Field initializedauthentication system for protective security of electronic informationnetworks); U.S. Pat. No. 4,564,018 (Ultrasonic system for obtainingocular measurements), each of which is expressly incorporated herein byreference.

Content-Based Query Servers

U.S. Pat. No. 5,987,459 (Swanson, et al. Nov. 16, 1999), expresslyincorporated herein by reference, relates to an image and documentmanagement system for content-based retrieval support directly into thecompressed files. The system minimizes a weighted sum of the expectedsize of the compressed files and the expected query response time.Object searching of documents stored by the system is possible on ascalable resolution basis. The system includes a novel objectrepresentation based on embedded prototypes that provides forhigh-quality browsing of retrieval images at low bit rates.

U.S. Pat. No. 6,038,560 (Wical, Mar. 14, 2000), expressly incorporatedherein by reference, relates to a concept knowledge base search andretrieval system, which includes factual knowledge base queries andconcept knowledge base queries, is disclosed. A knowledge base storesassociations among terminology/categories that have a lexical, semanticor usage association. Document theme vectors identify the content ofdocuments through themes as well as through classification of thedocuments in categories that reflects what the documents are primarilyabout. The factual knowledge base queries identify, in response to aninput query, documents relevant to the input query through expansion ofthe query terms as well as through expansion of themes. The conceptknowledge base query does not identify specific documents in response toa query, but specifies terminology that identifies the potentialexistence of documents in a particular area.

U.S. Pat. No. 6,067,466 (Selker, et al., May 23, 2000), expresslyincorporated herein by reference, relates to a diagnostic tool using apredictive instrument. A method is provided for evaluating a medicalcondition of a patient including the steps of monitoring one or moreclinical features of a patient; based on the monitored features,computing a primary probability of a medical outcome or diagnosis;computing a plurality of conditional probabilities for a selecteddiagnostic test, the computed conditional probabilities including afirst probability of the medical outcome or diagnosis assuming theselected diagnostic test produces a first outcome and a secondprobability of the medical outcome or diagnosis assuming the selecteddiagnostic test produces a second outcome; and displaying the computedprimary probability as well as the plurality of computed conditionalprobabilities to a user as an aid to determining whether to administerthe selected diagnostic test to the patient.

Jurisdictional Processing Dependence

U.S. Pat. No. 6,064,968 (Schanz, May 16, 2000), expressly incorporatedherein by reference, relates to systems, methods and computer programproducts for identifying unique and common legal requirements for aregulated activity among multiple legal jurisdictions. Systems, methodsand computer program products facilitate user compliance with laws thatpertain to a regulated activity in each of a plurality of legaljurisdictions. A user selects, via a user interface in communicationwith a data processing system, a component that relates to an aspect ofthe regulated activity. A user also selects, via a user interface incommunication with the data processing system, first and second legaljurisdictions from the plurality of legal jurisdictions. In response tothe user selections, elements of the selected component that are uniqueand common to the first and second legal jurisdictions are displayed.Each displayed element is a legal requirement associated with theregulated activity as defined by laws of a respective legaljurisdiction.

E-Commerce Systems

U.S. Pat. No. 5,946,669 (Polk, Aug. 31, 1999), expressly incorporatedherein by reference, relates to a method and apparatus for paymentprocessing using debit-based electronic funds transfer and disbursementprocessing using addendum-based electronic data interchange. Thisdisclosure describes a payment and disbursement system, wherein aninitiator authorizes a payment and disbursement to a collector and thecollector processes the payment and disbursement through an accumulatoragency. The accumulator agency processes the payment as a debit-basedtransaction and processes the disbursement as an addendum-basedtransaction. The processing of a debit-based transaction generallyoccurs by electronic funds transfer (EFT) or by financial electronicdata interchange (FEDI). The processing of an addendum-based transactiongenerally occurs by electronic data interchange (EDI).

U.S. Pat. No. 6,005,939 (Fortenberry, et al., Dec. 21, 1999), expresslyincorporated herein by reference, relates to a method and apparatus forstoring an Internet user's identity and access rights to World Wide Webresources. A method and apparatus for obtaining user information toconduct secure transactions on the Internet without having to re-enterthe information multiple times is described. The method and apparatuscan also provide a technique by which secured access to the data can beachieved over the Internet. A passport containing user-definedinformation at various security levels is stored in a secure serverapparatus, or passport agent, connected to computer network. A userprocess instructs the passport agent to release all or portions of thepassport to a recipient node and forwards a key to the recipient node tounlock the passport information.

U.S. Pat. No. 6,016,484 (Williams, et al., Jan. 18, 2000), expresslyincorporated herein by reference, relates to a system, method andapparatus for network electronic payment instrument and certification ofpayment and credit collection utilizing a payment. An electronicmonetary system provides for transactions utilizing anelectronic-monetary system that emulates a wallet or a purse that iscustomarily used for keeping money, credit cards and other forms ofpayment organized. Access to the instruments in the wallet or purse isrestricted by a password to avoid unauthorized payments. A certificateform must be completed in order to obtain an instrument. The certificateform obtains the information necessary for creating a certificategranting authority to utilize an instrument, a payment holder and acomplete electronic wallet. Electronic approval results in thegeneration of an electronic transaction to complete the order. If a userselects a particular certificate, a particular payment instrument holderwill be generated based on the selected certificate. In addition, theissuing agent for the certificate defines a default bitmap for theinstrument associated with a particular certificate, and the defaultbitmap will be displayed when the certificate definition is completed.Finally, the number associated with a particular certificate will beutilized to determine if a particular party can issue a certificate.

U.S. Pat. No. 6,029,150 (Kravitz, Feb. 22, 2000), expressly incorporatedherein by reference, relates to a system and method of payment in anelectronic payment system wherein a plurality of customers have accountswith an agent. A customer obtains an authenticated quote from a specificmerchant, the quote including a specification of goods and a paymentamount for those goods. The customer sends to the agent a singlecommunication including a request for payment of the payment amount tothe specific merchant and a unique identification of the customer. Theagent issues to the customer an authenticated payment advice based onlyon the single communication and secret shared between the customer andthe agent and status information, which the agent knows about themerchant, and/or the customer. The customer forwards a portion of thepayment advice to the specific merchant. The specific merchant providesthe goods to the customer in response to receiving the portion of thepayment advice.

U.S. Pat. No. 6,047,269 (Biffar, Apr. 4, 2000), expressly incorporatedherein by reference, relates to a self-contained payment system withcreating and facilitating transfer of circulating digital vouchersrepresenting value. A digital voucher has an identifying element and adynamic log. The identifying element includes information such as thetransferable value, a serial number and a digital signature. The dynamiclog records the movement of the voucher through the system andaccordingly grows over time. This allows the system operator to not onlyreconcile the vouchers before redeeming them, but also to recreate thehistory of movement of a voucher should an irregularity like a duplicatevoucher be detected. These vouchers are used within a self-containedsystem including a large number of remote devices that are linked to acentral system. The central system can be linked to an external system.The external system, as well as the remote devices, is connected to thecentral system by any one or a combination of networks. The networksmust be able to transport digital information, for example the Internet,cellular networks, telecommunication networks, cable networks orproprietary networks. Vouchers can also be transferred from one remotedevice to another remote device. These remote devices can communicatethrough a number of methods with each other. For example, for anon-face-to-face transaction the Internet is a choice, for aface-to-face or close proximity transactions tone signals or lightsignals are likely methods. In addition, at the time of a transaction adigital receipt can be created which will facilitate a fast replacementof vouchers stored in a lost remote device.

Micropayments

U.S. Pat. No. 5,999,919 (Jarecki, et al., Dec. 7, 1999), expresslyincorporated herein by reference, relates to an efficient micropaymentsystem. Existing software proposals for electronic payments can bedivided into “on-line” schemes which require participation of a trustedparty (the bank) in every transaction and are secure againstoverspending, and “off-line” schemes which do not require a third partyand guarantee only that overspending is detected when vendors submittheir transaction records to the bank (usually at the end of the day). Anew “hybrid” scheme is proposed which combines the advantages of both“on-line” and “off-line” electronic payment schemes. It allows forcontrol of overspending at a cost of only a modest increase incommunication compared to the off-line schemes. The protocol is based onprobabilistic polling. During each transaction, with some smallprobability, the vendor forwards information about this transaction tothe bank. This enables the bank to maintain an accurate approximation ofa customer's spending. The frequency of polling messages is related tothe monetary value of transactions and the amount of overspending thebank is willing to risk. For transactions of high monetary value, thecost of polling approaches that of the on-line schemes, but formicropayments, the cost of polling is a small increase over the trafficincurred by the off-line schemes.

Micropayments are often preferred where the amount of the transactiondoes not justify the costs of complete financial security. In themicropayment scheme, typically a direct communication between creditorand debtor is not required; rather, the transaction produces a resultwhich eventually results in an economic transfer, but which may remainoutstanding subsequent to transfer of the underlying goods or services.The theory underlying this micropayment scheme is that the monetaryunits are small enough such that risks of failure in transaction closureis relatively insignificant for both parties, but that a user gets fewchances to default before credit is withdrawn. On the other hand, thetransaction costs of a non-real time transactions of small monetaryunits are substantially less than those of secure, unlimited orpotentially high value, real time verified transactions, allowing andfacilitating such types of commerce. Thus, the rights management systemmay employ applets local to the client system, which communicate withother applets and/or the server and/or a vendor/rights-holder tovalidate a transaction, at low transactional costs.

The following U.S. patents, expressly incorporated herein by reference,define aspects of micropayment, digital certificate, and on-line paymentsystems: U.S. Pat. No. 5,930,777 (Barber, Jul. 27, 1999, Method ofcharging for pay-per-access information over a network); U.S. Pat. No.5,857,023 (Jan. 5, 1999, Demers et al., Space efficient method ofredeeming electronic payments); U.S. Pat. No. 5,815,657 (Sep. 29, 1998,Williams, System, method and article of manufacture for networkelectronic authorization utilizing an authorization instrument); U.S.Pat. No. 5,793,868 (Aug. 11, 1998, Micali, Certificate revocationsystem), U.S. Pat. No. 5,717,757 (Feb. 10, 1998, Micali, Certificateissue lists); U.S. Pat. No. 5,666,416 (Sep. 9, 1997, Micali, Certificaterevocation system); U.S. Pat. No. 5,677,955 (Doggett et al., Electronicfunds transfer instruments); U.S. Pat. No. 5,839,119 (Nov. 17, 1998,Krsul; et al., Method of electronic payments that preventsdouble-spending); U.S. Pat. No. 5,915,093 (Berlin et al.); U.S. Pat. No.5,937,394 (Wong, et al.); U.S. Pat. No. 5,933,498 (Schneck et al.); U.S.Pat. No. 5,903,880 (Biffar); U.S. Pat. No. 5,903,651 (Kocher); U.S. Pat.No. 5,884,277 (Khosla); U.S. Pat. No. 5,960,083 (Sep. 28, 1999, Micali,Certificate revocation system); U.S. Pat. No. 5,963,924 (Oct. 5, 1999,Williams et al., System, method and article of manufacture for the useof payment instrument holders and payment instruments in networkelectronic commerce); U.S. Pat. No. 5,996,076 (Rowney et al., System,method and article of manufacture for secure digital certification ofelectronic commerce); U.S. Pat. No. 6,016,484 (Jan. 18, 2000, Williamset al., System, method and article of manufacture for network electronicpayment instrument and certification of payment and credit collectionutilizing a payment); U.S. Pat. No. 6,018,724 (Arent); U.S. Pat. No.6,021,202 (Anderson et al., Method and system for processing electronicdocuments); U.S. Pat. No. 6,035,402 (Vaeth et al.); U.S. Pat. No.6,049,786 (Smorodinsky); U.S. Pat. No. 6,049,787 (Takahashi, et al.);U.S. Pat. No. 6,058,381 (Nelson, Many-to-many payments system fornetwork content materials); U.S. Pat. No. 6,061,448 (Smith, et al.);U.S. Pat. No. 5,987,132 (Nov. 16, 1999, Rowney, System, method andarticle of manufacture for conditionally accepting a payment methodutilizing an extensible, flexible architecture); U.S. Pat. No. 6,057,872(Candelore); and U.S. Pat. No. 6,061,665 (May 9, 2000, Bahreman, System,method and article of manufacture for dynamic negotiation of a networkpayment framework). See also, Rivest and Shamir, “PayWord and MicroMint:Two Simple Micropayment Schemes” (May 7, 1996); Micro PAYMENT transferProtocol (MPTP) Version 0.1 (22 Nov. 95) et seq.,http://www.w3.org/pub/WWW/TRIWD-mptp; Common Markup for web MicropaymentSystems, http://www.w3.org/TRIWD-Micropayment-Markup (9 Jun. 99);“Distributing Intellectual Property: a Model of Microtransaction BasedUpon Metadata and Digital Signatures”, Olivia, Maurizio,http://olivia.modlang.denison.edu/˜olivia/RFC/09/, all of which areexpressly incorporated herein by reference.

See, also: U.S. Pat. No. 4,977,595 (Dec. 11, 1990, Method and apparatusfor implementing electronic cash); U.S. Pat. No. 5,224,162 (Jun. 29,1993, Electronic cash system); U.S. Pat. No. 5,237,159 (Aug. 17, 1993,Electronic check presentment system); U.S. Pat. No. 5,392,353 (February1995, Morales, TV Answer, Inc. Interactive satellite broadcast network);U.S. Pat. No. 5,511,121 (Apr. 23, 1996, Efficient electronic money);U.S. Pat. No. 5,621,201 (April 1997, Langhans et al., Visa InternationalAutomated purchasing control system); U.S. Pat. No. 5,623,547 (Apr. 22,1997, Value transfer system); U.S. Pat. No. 5,679,940 (October 1997,Templeton et al., TeleCheck International, Inc. Transaction system withon/off line risk assessment); U.S. Pat. No. 5,696,908 (December 1997,Muehlberger et al., Southeast Phonecard, Inc. Telephone debit carddispenser and method); U.S. Pat. No. 5,754,939 (May 1998, Herz et al.,System for generation of user profiles for a system for customizedelectronic identification of desirable objects); U.S. Pat. No. 5,768,385(Jun. 16, 1998, Untraceable electronic cash); U.S. Pat. No. 5,799,087(Aug. 25, 1998, Electronic-monetary system); U.S. Pat. No. 5,812,668(Sep. 22, 1998, System, method and article of manufacture for verifyingthe operation of a remote transaction clearance system utilizing amultichannel, extensible, flexible architecture); U.S. Pat. No.5,828,840 (Oct. 27, 1998, Server for starting client application onclient if client is network terminal and initiating client applicationon server if client is non network terminal); U.S. Pat. No. 5,832,089(Nov. 3, 1998, Off-line compatible electronic cash method and system);U.S. Pat. No. 5,850,446 (Dec. 15, 1998, System, method and article ofmanufacture for virtual point of sale processing utilizing anextensible, flexible architecture); U.S. Pat. No. 5,889,862 (Mar. 30,1999, Method and apparatus for implementing traceable electronic cash);U.S. Pat. No. 5,889,863 (Mar. 30, 1999, System, method and article ofmanufacture for remote virtual point of sale processing utilizing amultichannel, extensible, flexible architecture); U.S. Pat. No.5,898,154 (Apr. 27, 1999, System and method for updating securityinformation in a time-based electronic monetary system); U.S. Pat. No.5,901,229 (May 4, 1999, Electronic cash implementing method using atrustee); U.S. Pat. No. 5,920,629 (Jul. 6, 1999, Electronic-monetarysystem); U.S. Pat. No. 5,926,548 (Jul. 20, 1999, Method and apparatusfor implementing hierarchical electronic cash); U.S. Pat. No. 5,943,424(Aug. 24, 1999, System, method and article of manufacture for processinga plurality of transactions from a single initiation point on amultichannel, extensible, flexible architecture); U.S. Pat. No.5,949,045 (Sep. 7, 1999, Micro-dynamic simulation of electronic cashtransactions); U.S. Pat. No. 5,952,638 (Sep. 14, 1999, Space efficientmethod of electronic payments); U.S. Pat. No. 5,963,648 (Oct. 5, 1999,Electronic-monetary system); U.S. Pat. No. 5,978,840 (System, method andarticle of manufacture for a payment gateway system architecture forprocessing encrypted payment transactions utilizing a multichannel,extensible, flexible architecture); U.S. Pat. No. 5,983,208 (Nov. 9,1999, System, method and article of manufacture for handling transactionresults in a gateway payment architecture utilizing a multichannel,extensible, flexible architecture); U.S. Pat. No. 5,987,140 (Nov. 16,1999, System, method and article of manufacture for secure networkelectronic payment and credit collection); U.S. Pat. No. 6,002,767 (Dec.14, 1999, System, method and article of manufacture for a modulargateway server architecture); U.S. Pat. No. 6,003,765 (Dec. 21, 1999,Electronic cash implementing method with a surveillance institution, anduser apparatus and surveillance institution apparatus for implementingthe same); U.S. Pat. No. 6,021,399 (Feb. 1, 2000, Space efficient methodof verifying electronic payments); U.S. Pat. No. 6,026,379 (Feb. 15,2000, System, method and article of manufacture for managingtransactions in a high availability system); U.S. Pat. No. 6,029,150(Feb. 22, 2000, Payment and transactions in electronic commerce system);U.S. Pat. No. 6,029,151 (Feb. 22, 2000, Method and system for performingelectronic money transactions); U.S. Pat. No. 6,047,067 (Apr. 4, 2000,Electronic-monetary system); U.S. Pat. No. 6,047,887 (Apr. 11, 2000,System and method for connecting money modules); U.S. Pat. No. 6,055,508(Apr. 25, 2000, Method for secure accounting and auditing on acommunications network); U.S. Pat. No. 6,065,675 (May 23, 2000,Processing system and method for a heterogeneous electronic cashenvironment); U.S. Pat. No. 6,072,870 (Jun. 6, 2000, System, method andarticle of manufacture for a gateway payment architecture utilizing amultichannel, extensible, flexible architecture), each of which isexpressly incorporated herein by reference.

Memory Cards

U.S. Pat. No. 6,021,393 (Honda, et al., Feb. 1, 2000), expresslyincorporated herein by reference, relates to a medical informationmanagement system. As a portable memory card carried by a patient tostore the patient's personal medical information, a hybrid-type memorycard is used which includes an optical information recording area, anintegrated circuit memory area and a magnetic information recordingarea. A read/write drive for the memory card includes an optical head, acarrier mechanism for loading the memory card on a carrier table andmoving the loaded memory card relative to the optical head, and acoupler section for coupling electronic information to be read andwritten from and to the integrated circuit memory area of the memorycard, so that reading and writing of optical information from and to theoptical information recording area can be conducted simultaneously withreading and writing of the electronic information from and to theintegrated circuit memory area.

U.S. Pat. No. 6,031,910 (Deindl, et al., Feb. 29, 2000), expresslyincorporated herein by reference, relates to a method and system for thesecure transmission and storage of protectable information, such aspatient information, by means of a patient card. The data stored on thepatient card are protected by cryptographic methods. The data isdecrypted only with the same patient card if a doctor is authorized andthe patient has given his agreement. All information that the patientcard needs in order to decide whether the doctor is authorized, and thekey for protecting the control data and the random key are held on thechip. The patient data can be freely transmitted to any storage medium.The chip controls both the access to the data and the encryption anddecryption functions. Random keys, which are themselves stored encryptedtogether with the data, ensure that every data record remains separatefrom every other data record, and that only authorized persons canaccess it. Every patient card has its own record key. The system andmethod are not directed exclusively to patient data but can be appliedto any protectable data to which right of access is to be restricted.

U.S. Pat. No. 6,034,605 (March, Mar. 7, 2000), expressly incorporatedherein by reference, relates to a system and method for secure storageof personal information and for broadcast of the personal information ata time of emergency. A sealed package contains a medium storing personalinformation associated with an individual. The sealed package is storedat a facility until an emergency occurs. At a time of emergency, amissing person report concerning the individual generated by a lawenforcement agency is processed. The personal information in theindividual's sealed package is accessed in response to the missingperson report and then broadcast on an electronic bulletin boardaccessible via the Internet.

U.S. Pat. No. 6,042,005 (Basile, et al., Mar. 28, 2000), expresslyincorporated herein by reference, relates to a personal identificationsystem for children, that includes two forms of identification. Anidentification card carried by the user contains the user's personal andmedical information in an electronic medium. The identification cardincludes photographs of the user and their parent or legal guardian, aunique identification number for the user, and a list of corporatesponsors. The second identification device is to be worn by the user andincludes the user's unique identification number and an access telephonenumber. A user interface enables the users to update their storedpersonal and medical information.

Jurisdictional Processing Dependence

U.S. Pat. No. 6,064,968 (Schanz, May 16, 2000), expressly incorporatedherein by reference, relates to systems, methods and computer programproducts for identifying unique and common legal requirements for aregulated activity among multiple legal jurisdictions. Systems, methodsand computer program products facilitate user compliance with laws thatpertain to a regulated activity in each of a plurality of legaljurisdictions. A user selects, via a user interface in communicationwith a data processing system, a component that relates to an aspect ofthe regulated activity. A user also selects, via a user interface incommunication with the data processing system, first and second legaljurisdictions from the plurality of legal jurisdictions. In response tothe user selections, elements of the selected component that are uniqueand common to the first and second legal jurisdictions are displayed.Each displayed element is a legal requirement associated with theregulated activity as defined by laws of a respective legaljurisdiction.

SUMMARY OF THE INVENTION

The present invention provides a trustee model for the collection,maintenance and distribution of entrusted information content, such asmedical records or copyright works. Medical institutions and individualsare responsible for creating and storing medical records for patientstreated. These medical institutions are the custodians of the records,over which the patient, or the successors of the patient hold rights.One of the patient's rights is the right to control release of therecords.

The present invention therefore seeks to provide a comprehensive set oftechnologies to address the full scope of issues presented inimplementing a secure and versatile medical information infrastructurethat respects the rights of patients to privileges, such asconfidentiality, gives due regard to federal and state regulations,while facilitating full and appropriate use and transmission of thedata.

One aspect of the present invention therefore provides that each recordis maintained within a virtual trust. In the case where they holdmedical records, they are called “medical information trusts withrespect to the information contained for each medical encounter, apatient's entire medical record or an entire medical record database.Similarly the concept of virtual trusts may be applied anywhereinformation is privileged. For example, legal information trusts wouldapply to the attorney client relationship, a banking information trustto the bank-depositor relationship, a government information trust tothe government-citizen relationship (e.g. information on Form 1040's).

In the commercial area, examples include: entertainment informationtrusts could be utilized by recording artists and companies and themovie and television industries and artists to restrict access to theirintellectual property and thereby prevent piracy and ensure theirroyalty revenue stream; subscription information trusts could beutilized by publishers of electronic magazines and newspapers; bookinformation trusts could be utilized by electronic book publishers;retail information trusts could be utilized by retailers wishing toassure that they do not sell personal information, addresses and phonenumbers of their customer; financial information trusts by securitiesfirms and investment companies to hold investor account information;educational information trusts for tracking student test results andgrades. Trusts could also be established for personal information (suchas user preferences and profiles), publication and subscriptioninformation, retail and demographic information, educationalinformation, and consumer information.

Consumer information trusts could also be utilized to prevent theunauthorized distribution of personal information including SocialSecurity numbers, credit card numbers and other personal informationtransmitted electronically.

Thus, the system according to the present invention provides a conduitfor the authorized transmission of medical records, while maintainingthe security of the records against unauthorized access. A preferredcommunications network is the Internet, a global interconnected set ofpublic access networks, employing standardized protocols. Thus, therecords may be transmitted virtually anywhere on earth using a singleinfrastructure. Alternately, private networks or virtual privatenetworks may be employed. In fact, as the system according to thepresent invention gains ubiquity, a private network model would bepreferred, in order to increase security and allow the system to betuned to the types of data and quality of service demands made by users.

Where the data is transmitted outside of an institution, it ispreferably encrypted. While there are many types of encryption, apreferred model is the public key infrastructure, which may be employedin various aspects of the invention. The communication stream betweenthe server and client is preferably a secure connection, for exampleusing 128-bit (or higher) encryption secure socket layer transport. Thisensures that an eavesdropper on the communications stream of packetscannot easily decipher the content.

The recipient is preferably authenticated using a public key-private keysystem, wherein the information can only be decrypted by a person inpossession of the private key of the recipient. The encryption isprovided at the time of transmission by applying the intendedrecipient's public key, which is available from a certificationregistrar, and is unique for that recipient.

In order to ensure authorization for the intended recipient, a keyrepresentative of the patient identity is employed. According to oneaspect, this is provided as a server password, as a part of the loginand authorization process. However, according to a preferred embodiment,the information relating to a patient is encrypted with a public key forthat patient at a point of origin, and stored in encrypted format withina database. In order for the intended recipient to decrypt the record,he must have the patient's private key.

Further, a preferred embodiment of the invention provides an additionallevel of security, with a record level block or encryption provided bythe server. This encryption provides increased security generally, andfurther preferably is integrated with an audit and/or accounting system.It is noted that both financial accounting and auditing are consideredhereunder forms of accounting.

The information included in such trusts may include any valuable orprivate information, over which an information owner or custodian mightwish to exert control, but which has a certain value when selectivelydisclosed in a controlled fashion.

In particular, the present invention has particular application to themanagement of rights in digital works, to allow a content owner toexploit the value of the works while assuring control over the use anddissemination. Likewise, the present invention has particularapplication to the management of personal information, such aspreferences, profiles, and medical information, which may have negativeimpact if disclosed and used in an uncontrolled fashion.

The present invention also provides a system and method for preventingpiracy or misuse of information, while ensuring a revenue streamassociated with the information.

Content owners seek to distribute their content, for a fee, and seek tobe the sole source of their copyright content. On the other hand,primary distribution of content through electronic means facilitatesunauthorized secondary redistribution of content. The present inventiontherefore provides a method and system for restricting or controllingsecondary redistribution of content, without imposing an undue privacyburden on consumers. The present invention also provides a secureenvironment for controlling content distribution while facilitatingvarious accounting events.

Consumers could also maintain a repository of private information intrust, to prevent, for example, the unauthorized distribution ofpersonal information including Social Security numbers, credit cardnumbers, user history, preferences, habits, demographics, and otherpersonal information transmitted electronically. These trusts may thusmaintain user preference, profile and history files, allowingrestricted, rule-based use and access by commercial entities, whilepreserving the privileges, rights and value to the consumer. The rightsof the consumer may indeed be negotiated or otherwise adapted to thecircumstances. In this case, the trustee owes a duty to the consumer.

The present invention therefore involves the implementation and use of avirtual trust, wherein a content owner entrusts information content,generally in digital form, to a virtual trustee, which implements a setof access rules and controls on behalf of the content owner, fordistribution of the content. The virtual trustee, in turn, may shieldthe true identity of the customer or consumer.

According to one embodiment, the customer or consumer provides necessarytransactional information, which is then processed by the virtualtrustee, and then “anonymized”, with personally identifying informationexpunged.

In other instances, the trustee may be required to maintain personallyidentifying information, for example where personalized watermarks areembedded in the content in order to track usage and/or misuse. In thatcase, the trustee may, by the terms of an agreement, prevent externaluse of the personally identifying information. Thus, anonymization isnot a necessary part of the invention, but is supported by variousembodiments thereof.

Digital signatures may be employed in monetary transactions that, afterauthentication, are anonymous. Thus, a digital signature may be storedin an ancillary database that is private, and only accessed in the eventof a post-transaction dispute. In this case, the digital signaturerequires either the private key of the holder for authentication, orreference to a certification authority. Thus, user-identifyinginformation may be stripped from a transaction record, while preservingthe possibility of reconstructing the identity of the party. However,without the party's consent, such reconstruction would require, forexample, a court order to gain access to the certification authorityrecords.

A particular advantage of the use of the trustee according to someembodiments of the invention is that it permits user to gain theadvantages of personalized services, without relinquishing privacy.Thus, the trustee may act as a barrier, intermediary, or proxy betweenthe user (customer or consumer) and the content owner. Further, thetrustee may, in fact, serve a broad range of content owners, and thusmay provide both the content owners and users a higher quality system,greater selection, and acquire personalized and statistical data basedon a broader database of user patterns.

It is noted that the trustee generally acts on behalf of the contentowner, not the user. However, a stated privacy policy, and possibly anegotiated agreement between the user and trustee, serves to protect theprivacy of the user. Further, the user may enter into a separate trustagreement with respect to private user information. In some cases, thetrustee will be the same or a related entity, but this is not required.

The trustee may thus support personalization services, based on a wellpopulated user profile database. This personalization provides anadditional business model for the trustee. It is noted that if thepersonal information is held by the virtual trust on behalf of the user,then the personalization may then be controlled by the user withuser-provided rules. On the other hand, if the user information isretained by the trust on behalf of the content owner, then, dependent ongoverning laws and rules, the content owner may exploit the userinformation or have it exploited for its benefit.

The economic model for the trustee allows compensation from a number ofsources. First, when the content owner presents the content to thetrustee for inclusion in the virtual trust, which may be for thatcontent owner alone or an aggregate of multiple content owners, anaccounting may occur. Likewise, a periodic accounting may take place forincluded content. Accounting may also take place for browsing of thetrust contents (catalog) and for transactions with users. Further,residual uses of previously transacted content may be accounted.

The user profile and personalization may also result in accounting, bothwith user and content owner. Further, third party advertisers andmerchants may also use and account for use of the user profile andpersonalization, although generally only mediated through the trustee.

Other known triggers for accounting events may also be employed. Thus,the system according to the present invention does not excludeapplication to existing systems (such as those referenced herein) as asupplement or substitute for components thereof.

It is noted that if a financial accounting results in no net accounting,an internal or local accounting may take place without requiring anexternal transmission of data. Therefore, if a content string istransmitted including both content and advertising, and the receipt isauthenticated, and a net non-zero accounting would necessarily bereported, then the absence of a reporting may be presumed to be theresult of the content accounting and advertiser accounting offsettingeach other. Thus, the transmission from the user is preempted. Thistechnique may be further employed to assist in preserving user privacy.

Use of the personalization and user profile data typically result incompensation from the user to the maintainer. The maintainer may, inturn, compensate the user and/or the content owner whose contentresulted in acquisition of the data. Likewise, commercial subsidies mayalso provide additional accounting transactions.

The present invention therefore seeks to provide a comprehensive set oftechnologies to address the full scope of issues presented inimplementing a secure and versatile information content infrastructurethat respects the rights of content owners and users to privileges, suchas confidentiality, and gives due regard to federal and stateregulations, while facilitating full and appropriate use andtransmission of the data. Thus, the rules implementing the virtual trustmay be jurisdiction dependent, and the application thereof varydepending on the situs of the transaction or material aspects thereof.

It is possible, for example, for multiple trusts to be involved in atransaction. Thus, during a transaction with a media information trust,consumer information may be generated. This consumer information may, bylaw or agreement, belong to the consumer. The consumer may then entrustthis information in a virtual trust, according to a set of access andusage restrictions. While the trustee may in fact be the same entity,the trusts are separate “entities”.

Thus, the system according to the present invention provides a conduitfor the authorized transmission of information, while maintaining thesecurity of the information against unauthorized use and access.

Where the information is transmitted over a public network, it ispreferably encrypted. While there are many types of encryption, apreferred model is the public key infrastructure, which may be employedin various aspects of the present invention. The communication streambetween the server and client is preferably a secure connection, forexample using 128-bit (or higher) encryption secure socket layertransport. This ensures that an eavesdropper on the communicationsstream of packets cannot easily decipher the content.

The recipient is preferably authenticated using a public key-private keysystem, wherein the information can only be decrypted by a person inpossession of the private key of the recipient. The encryption isprovided at the time of transmission by applying the intendedrecipient's public key, which is available from a certificationregistrar, and is unique for that recipient. This also poses an issuefor a user seeking to circumvent distribution rules, in that in order toshare the file with third parties, the user must reveal its private key.Since this private key may have strategic private value to the user,release of this key publicly will be deterred. Further, decryptionsystems may employ a deactivation mode, wherein content or broadcastsare encoded with a series of user identifications which have beendeauthorized. Such deauthorization may occur due to breach of rules,expiration of license, of other cause. Thus, if publication of a user'skey becomes known to the trustee or content owner, then it may bedeactivated, making the copies less desirable than properly authorizedoriginals.

Further, a preferred embodiment of the invention provides an additionallevel of security, with a record level block or encryption provided bythe server. This encryption provides increased security generally, andfurther preferably is integrated with an audit and/or accounting system.It is noted that both financial accounting and auditing are consideredhereunder forms of accounting. Thus, components of the content may beseparately encoded. For example, songs on a record album, segments ofvideo (program, commercials, trailers, etc.), articles andadvertisements in a journal, may all be encoded within a contenttransmission. Separate accounting, both positive and negative, may beapplied for use or viewing of the content. Rules may be applied to thecontent, for example with subsidy content such as commercials oradvertisements, particularly controlling a manner of presentation. Inthis way, a user may account for content used, while receiving subsidyfor advertisements viewed. The rules may also include aggregate pricingfor plural elements of the content.

If an audit trail is maintained by the trustee, this information ispreferably maintained in a secure database. The audit trail may, forexample, record access, use, accounting and other types of events. In anon-line system, a content-browser or player may communicate with thetrustee to provide audit trail information.

Thus, in the case of voluminous records, such as a musical album, theindividual songs or elements are advantageously formed as information“polymers”, each “monomer” element having its own access rules.Therefore, the index may include multiple independently-accessiblerecord elements for a contiguous set of records. Likewise, disparate anddiscontiguous records may be connected through the index, even ifderived from different institutions or caregivers.

In one type of system, consumer media information, such as a musicalalbum, the individual songs or elements (the monomers) areadvantageously formed as information polymers (the album). In the caseof a record album, therefore, the consumer may “purchase” all or some ofthe songs, paying only for the content used, and being subject to usagerules, such as incentives for paying for the entire album rather thanjust a few songs.

On the other hand, related content elements need not be included withina single record, file or transmission. Thus, an external or intrinsicindex may define a compilation or set of elements. In a mediainformation polymer, the access restrictions and rules may be definedat, and with respect to, an atomic level, although aggregate rules arepreferably also provided.

In the case of a record album, therefore, the consumer may “purchase”all or some of the songs, paying only for the content used, and beingsubject to usage rules, such as incentives for paying for the entirealbum rather than just a few songs.

Preferably, the accounting for use occurs through the trustee, who inturn accounts to the content owner. However, accounting transactions maybe direct with the content owner or other interested party. Further,accounting or logging of transactions may be automatic or manuallyinitiated. Certain accounting transactions may be logged locally to theuser, and transmitted in bulk to the trustee or content owner,periodically or upon a specified event.

In one embodiment, employing high security, a record is stored in amedia content database, encrypted with an algorithm that requires aspecific challenge-response verification in order to decrypt, either inthe database or upon transmission therefrom. Upon transmission, therecord is further encrypted using a transactional (e.g., single sessionkey) encryption algorithm, and further encrypted with the intendedrecipient's public key. The triple-encrypted message is then transmittedover a secure connection, e.g., SSL, or a Virtual Private Network (VPN).In order to employ the record, the recipient first applies his privatekey, which may be stored in a physical token, such as a smart card, fob,or key. Decryption of the transactional encryption may be an automatedon-line process, and is intended primarily to deter eavesdroppers and toverify receipt, authorization, and to trigger an accounting event. Thisactivity is logged in an audit database (which is, itself, preferablysecure), and the activities accounted in an accounting database. Anapplet “wrapper” (encryption algorithm embedded in an applet) associatedwith the content, is then activated, to provide access to the content,again verifying authenticity, and to assure that appropriate rules havebeen followed for control and management of access. In one embodiment,each use of the encrypted content requires a separate on-linetransaction accounting and/or authorization session, or the results of aprior on-line session, allowing asynchronous or periodic authorization.

This scheme affords a number of advantages. First, the records in thedatabase may be stored in encrypted format, and thus the trustee neednot have access to the information contained in the records. Further,the physical security required to achieve a desired level of compositesecurity for the database is reduced. Likewise, testing and maintenanceof the database poses a substantially reduced security risk, since therecords are encrypted. This also facilitates a peer-to-peer contentdistribution model. Thus, content records may be widely dispersed, andsharing encouraged, since each new user engages in an accounting and/orauthentication transaction, facilitating content management. Sincedistribution is low cost and not capital intensive, consumer costs mayalso be lowered. Further, since the system supports a variety ofcompensation schemes, more equitable distribution of burden and incomemay be achieved. Through implementation of a micropayment system, as isknown in the art, transaction expenses may be controlled, and in someimplementations, consumer privacy protected.

Each use of the record triggers an accounting/audit event, thus allowingfinely granular records of record access, and reduces the risks ofsecurity and privacy breach after record transmission. Importantly, thisallows usage based financial accounting for the records, imposing afinancial burden based according to value. Therefore, the revenues formaintenance of the system may be based on a number of factors,automatically calculated, which impose low costs for minimal usage ofthe records and larger costs on substantial use of the records.Typically, the financial burden will be about the incremental cost ofservicing a request, plus a portion of the profit, amortization, andoverhead for constructing and maintaining the system. It is this profit,overhead and amortization component that may be shifted more heavily toextensively used records from those with lesser value. On the otherhand, the net cost to a consumer for popular content may be less thanthat for obscure content.

In the case of information content which is private, such as business orpersonal records, the system architecture differs, in that disclosure ofthe content must be protected. In a normal consumer media system, thecontent is not confidential, and thus the distribution system isintended to impose a barrier to circumvention, rather than generallyprotect with high security the content. A secure system must, however,be designed to meet emergency requests. This ability to provide highsecurity in general, but also provide exception processing with lowersecurity, will undoubtedly increase system costs for even non-emergencyrequests. Thus, an additional fee component may be applied to emergencyinformation or content requests. The urgency of a request may bedetermined, for example, by a self-reporting, or a contextual assessmentthereof.

According to some embodiments, when a recipient seeks a record, he mustidentify himself, and the identity of the desired content record. Theidentification of the recipient is then authenticated, for example usinga digital signature or challenge-response authentication scheme, inwhich messages are passed back and forth between the recipient andserver.

In the case of private content which is “triple encrypted” as discussedabove, when a requester receives a file, he must enter his owndecryption key as well as the content decryption key. The contentdecryption key is obtained extrinsically, or from a certificationauthority that verifies the circumstances of access and the requirementstherefore. The certification authority is preferably separate from thetrustee. However, the decryption need not be direct, i.e., the keys usedin a locally executing algorithm to release the record contents. Rather,an on-line process is preferably implemented, in which theauthentication (decryption) codes are entered, and accounting and auditinformation processed, in order to release the file contents. Thus, thepresent system potentially provides a third level of encryption, tosupport its own access restrictions, which, for example, may be drivenby a need to account for access. This encryption may be applied, forexample, as the record is being prepared for transmission from thedatabase. The on-line process also serves to protect record privacy,since an audit entry may be maintained for each usage, rather than onlyfor the transmission usage.

In the case of confidential records, the recipient's “role” may checkedfor consistency with a set of role-based access rules, defined by thecontent owner, but may change in different contexts. The reported rolemay be accepted, or verified with a database. Based on the role of therecipient and the identification of the content, an index for thedatabase is searched for records. Preferably, the index includes, foreach content record associated entry, an identification of the locationof the content record and a set of access rules, which are, for example,role based.

The role-based access rules are generally defined automatically based oncontextual and circumstantial data. Manual rules and edits may also besupported. Typically, a hierarchy is defined of data sensitivity, withthe most sensitive data provided with the highest level of restrictions.

The access rules are defined by a set of defaults, and “overrides”,implementing a content owner's wishes. The defaults, in turn, aredefined as a standard overall system security level.

Since, according to one embodiment, the trustee does not have decryptedaccess to the content records, the content owner must build the index.Often, the rules will be applied based on a generic type of record, withsensitive records, afforded the highest protection, and more publicinformation provided with less security.

The recipient, after authentication of identity and role, is thenpresented with a list of content records available and/or existing. Forsensitive records, even the existence may be shielded, while for lesssensitive records, the content is shielded while the existence is not.The recipient then selects which records to receive, in an interactiveprocess over the secure communications channel. The records are then“wrapped” with the controlled access applet, and encrypted with therecipient's public key and transmitted over the secure communicationschannel.

In some instances, a recipient will have access to or be provided with asummary, synopsis or program guide of a content record. For example,summaries may be a part of the record generated by the private contentowner. This summary may be available to the recipient based on theaccess rules, and therefore delivered to the recipient in the statedmanner. Subsequently, the recipient may, based on the contents of thesummary, request further records. Preferably, the present inventionprovides a “fast” interactive mode for delivering such summaries, makingthe encryption and authentication process as transparent as possible forthe series of transactions.

The present invention also provides a privileged information trust, forexample a media content information trust, a secure and verifiableaccess database, and systems and methods therefore.

According to an aspect of the present invention, it is not necessary toconsolidate the media content into a single file. Thus, many separatemedia portions may be stored separately, and indeed in separate portionsof a distributed database. A central index is maintained which records,for each piece of identified content, the location of the portions andaccess rules therefor. For retrieval, only those content records thatare contextually relevant are recalled. Of course, these may beconsolidated.

In order to maintain privacy of the media content record, the contentitself may be encrypted. In this case, the access rules are externallycoded, so that the content of the record may be shielded while stillpermitting controlled access. Various security schemes may be employedfor selective access to the record once delivered. For example, eachaccess requester may be provided with a public key/private key pair. Therecord may be delivered encrypted with the public key, in a form suchthat the private key is necessary in order to decrypt the information,while also authenticating the content. Thus, in the case of personaldata in trust, employed by an advertiser or content seller, the personaldata is delivered in encrypted form, and the user must authenticatehimself and account for the use. Different users or types of users(e.g., roles) may have different rights of access, defined by rule.

In cases where the database holds encrypted records, physical securityof the database provides an additional layer of protection. Thus, forexample, personnel maintaining the database need not be exposed toprivate records.

One embodiment of the present invention therefore envisions a systemarchitecture having three separate portions: (a) the database(s),containing individual records, which may be encrypted or plain-text; (b)an index, relating content identifier with database records, as well asaccess rules; and (c) optionally, a certification authority, holdingencryption data. The certification authority serves a practical purpose,but implementation of such an authority may be avoided if respectivepasswords and encryption keys are reliably and securely held only byauthorized users. However, since emergency situations arise in practice,which may require decryption key access without personal expressauthorization from the content owner, the certification authority may bean important component of the system. The certification authority alsoissues the keys, enforcing certain rules for key selection.

The certification authority employed in conjunction with the presentinvention presents the same issues as typical existing certificationauthorities. These entities presently hold encryption keys, which arereleased only under specified conditions. Typically, the release ofsecure keys involves an authentication step and incurs risk of detectionof unauthorized recipients. According to the present invention, theremay be a need for automated release of such encryption codes, forexample where the volume of requests exceeds a manual processingcapability. In this case, a highly secure personal authentication schememay be implemented, for example using biometric authentication, or acombination of password and key access. Of course, this is generally notpossible with public systems, where strict user-level control cannot bepresumed. It is also possible to implement role-based or authority-basedaccess in addition to other schemes, for example, in the case of medicalinformation, limiting access to physicians and institutionaladministrators.

According to the present invention, the records may be treated ascopyright works. Therefore, a license fee may be charged for any copyingor use of the record, based on a copyright license. The provider, inturn, may then receive a passthrough royalty payment. Even if acopyright theory is ultimately found defective, the database may stillbe protected under other types of legal regimes, for example the DigitalMillenium Copyright Act (DMCA), with respect to its copyprotection/anticircumvention features, or sui generis protectionavailable in certain countries. In fact, many of the proposed techniquesfor protection, distribution and accounting proposed for use withconsumer media information, such as digital music files, e.g., MP3files, may advantageously be applied in accordance with the presentinvention.

It is noted that, in the case of public media content, the contentitself need not be encrypted. Instead, a secure watermark and digitalrights management-implementing playback system may be used. Thus, whilethe content is not encrypted, usage restrictions and content trackingand management functions may be implemented through encrypted or hiddenmessages in the content. This technique permits the content to beemployed without decryption (which may consume valuable computationalresources), while permitting content management on behalf of the contentowner.

In order to provide further security for the records and the use of thesystem, various techniques are available. For example, dummy contentrecords may be added to the database and index. Any access of theserecords is presumably based on an attempt for unauthorized access. Thus,the existence of these records, with access tracking, allows detectionof unauthorized uses of the system. Another method of securing thesystem is the use of steganographic techniques, for example embeddingwatermarks in audio and images, pseudorandom dot patterns in scannedpage images, random insertion of spaces between words, formattinginformation, or the like, in text records, or other techniques.Therefore, records obtained through the system may be identified bytheir characteristic markings. In fact, every authorized transmissionmay be subjected to a different set of markings, allowing a record to betracked from original authorized access to ultimate disposition. Anexplicit bar code, watermark other type of code may also be provided onthe document for this purpose. It is noted that such markings cannot beimplemented at the point of transmission on encrypted data, and thusthis type of security requires access to the raw content. However, thismay be implemented at the point of decryption, which may be in asufficiently secure environment. Thus, the present invention provides asystem for the decryption and watermarking of data, in a content (orcontent type)-specific manner. An online handshaking event may occur ondecryption, to provide confirmation of the process, and indeed may alsoauthenticate the user of the system during decryption.

One particular application of the present invention is directed towardthe management of access to medical records. Thus, the system accordingto the present invention provides a conduit for the authorizedtransmission of medical records, while maintaining the security of therecords against unauthorized access. A preferred communications networkis the Internet, a global interconnected set of public access networks,employing standardized protocols. Thus, the records may be transmittedvirtually anywhere on earth using a single infrastructure. Alternately,private networks or virtual private networks may be employed. In fact,as the system according to the present invention gains ubiquity, aprivate network model would be preferred, in order to increase securityand allow the system to be tuned to the types of data and quality ofservice demands made by users.

In order to ensure authorization for the intended recipient, a keyrepresentative of the patient identity is employed. According to oneaspect of the invention, this is provided as a server password, as apart of the login and authorization process. However, according to apreferred embodiment, the information relating to a patient is encryptedwith a public key for that patient at a point of origin, and stored inencrypted format within a database. In order for the intended recipientto decrypt the record, he must have the patient's private key.

In a medical information polymer, disparate and discontiguous recordsmay be connected through the index, even if derived from differentinstitutions or caregivers. Since the access restrictions are defined atan atomic level of the medical information polymer, these may be appliedboth at the trustee server system, to limit access based on predefinedrules, or at the recipient level, to limit access to desired recordswhich are available based on the recipient authorization.

For example, a record is stored in a medical records database encryptedwith a respective patient's public key. Upon transmission, the record isfurther encrypted with a transactional encryption algorithm, and furtherencrypted with the intended recipient's public key. The triple-encryptedmessage is then securely transmitted, and decoded in reversehierarchical order. This decoding may include requiring the recipient toengage in an on-line authentication/accounting transaction, to decryptthe transactional-level encoding. This activity is logged in an auditdatabase, and the activities accounted in an accounting database. Anapplet “wrapper” may be associated with the record, which, inconjunction with the supplied patient's private key, allows decryptionof the record itself. Each use of the encrypted record requires aseparate on-line transaction accounting session.

Since the system must be designed to meet emergency requests, which willundoubtedly increase system costs for even non-emergency requests, anemergency transactional fee may be added to a normal transaction fee insuch circumstances. The urgency of a request may be determined, forexample, by a self-reporting, or a context. In fact, since the systemhouses medical records, the urgency may be determined after the fact,with delayed accounting for this fee component.

When a recipient seeks a record, he must identify himself, his role inthe patient care, and the identity of the patient and/or record. Theidentification of the recipient is then authenticated, for example usinga digital signature or challenge-response authentication scheme, inwhich messages are passed back and forth between the recipient andserver. See, for example, U.S. Pat. No. 6,028,937 (Tatebayashi et al.),U.S. Pat. No. 6,026,167 (Aziz), U.S. Pat. No. 6,009,171 (Ciacelli etal.) (Content Scrambling System, or “CSS”), U.S. Pat. No. 5,991,399(Graunke et al.), U.S. Pat. No. 5,948,136 (Smyers) (IEEE 1394-1995), andU.S. Pat. No. 5,915,018 (Aucsmith), expressly incorporated herein byreference, and Jim Wright and Jeff Robillard (Philsar Semiconductor),“Adding Security to Portable Designs”, Portable Design, March 2000, pp.16-20.

It is also possible to employ so-called rolling code encryption, inwhich a pseudorandom number generator is employed to generate a sequenceof codes, wherein a common seed for the pseudorandom number generatorused for encryption and decryption maintains synchronization. In such asystem, each code sequentially generated by the system differs, therebyallowing distinct encryption codes (keys) to be generated and employed.The security of the system relies, in part, on the presumed difficultyin determining the pseudorandom seed by analyzing a sequence ofgenerated codes. See, U.S. Pat. No. 5,369,706 (Latka, Nov. 29, 1994);and U.S. Pat. No. 5,420,925 (Michaels, May 30, 1995), expresslyincorporated herein by reference.

The recipient's role is checked for consistency with the recipient'sidentity, but may change in different contexts. For example, a physicianmay be an attending/primary care physician or a consultant on a case.The reported role may be accepted, or verified with a recipient medicalinstitution database. Based on the role of the recipient and theidentification of the patient, an index for the database is searched forrecords. Preferably, the index includes, for each patient associatedentry, an identification of the location of the medical record and a setof access rules, which are, for example, role based.

Thus, for example, an attending physician would likely have access tocomplete medical records, while a therapist would have limited access torelevant records.

The access rules are defined by a set of defaults, and “overrides”,implementing a patient's wishes. The defaults, in turn, are defined as astandard overall system security level, additionally, the custodianmedical institution that is the source of the records may impose theirown access rules.

Since, in a preferred embodiment, the trustee does not have decryptedaccess to the medical records, the index is created by another party.For example, the custodian institution or a medical informationclearinghouse may build an index. Often, the rules will be applied basedon a generic type of record, with sensitive records, such as sexual,drug abuse and psychiatric history afforded the highest protection, andmore public information, such as date of birth and hair color providedwith less security.

The recipient, after authentication of identity and role, is thenpresented with a list of medical records available and/or existing. Forsensitive records, even the existence may be shielded, while for lesssensitive records, the content is shielded while the existence is not.The recipient then selects which records to receive, in an interactiveprocess over the secure communications channel. The records are then“wrapped” with the controlled access applet, and encrypted with therecipient's public key and transmitted over the secure communicationschannel.

In some instances, a recipient will have access to or be provided with asummary or synopsis of a record. For example, summaries may be a part ofthe record generated by the custodian medical institution. This summarymay be available to the recipient based on the access rules, andtherefore delivered to the recipient in the stated manner. Subsequently,the recipient may, based on the contents of the summary, request furtherrecords. Preferably, the present invention provides a “fast” interactivemode for delivering such summaries, making the encryption andauthentication process as transparent as possible for the series oftransactions.

While it is preferred that the medical records be maintained in trust bythe trustee, in some instances, the custodian will maintain the recordsand mediate requests for access. The present system, in that case,serves as a front end for interfacing with the custodian's privatenetwork, as well as performing the authentication and optionallyrule-based access implementation. In this case, the index serves toidentify the relevant institutional databases, and may serve as a proxyto consolidate the search for records through a single access system.Typically, where the records are external, the access rules will also beexternal.

The trustee system according to the present invention may be providedwith access rights to interface with institutional private networksthrough a firewall or VPN. An applet may be provided by the trustee tothe institutional network server, to implement the access rules withinthe firewall, thus maintaining security of the records, even from thetrustee. Alternately, the custodian medical institutional system mayimplement native access rules. In either case, the record transmitted bythe institutional system to the trustee system may be encrypted with thepatient's public key, and thus the process is sufficiently similar thatthe difference between access through the trustee database and thecustodian (institutional) database may be transparent.

In like manner, in appropriate instances, a recipient may make a queryto search the medical record. In that case, the query must be performedon a decrypted record, e.g., locally by the recipient, or within thecustodian private network. Of course, if the trustee system supportsdecrypted medical records, then a search may be conducted therein. Inthe later case, the query is transmitted from the recipient to thetrustee, to the custodian medical record system. The query produces aresult, typically based on the entire record, since the access rules aretypically not applied within the custodian network. The results mustthen be filtered based on the defined rules. As above, the search resultmay indicate records that are accessible or inaccessible by therecipient, or shield the existence of unauthorized records. Theseresults may then be transmitted to the recipient in the manner of themedical summary discussed above.

The present invention also provides a privileged information trust, forexample a medical information trust, a secure and verifiable accessdatabase, and systems and methods therefore.

The present invention provides, according to one embodiment, anextensible database architecture that provides data records relating topatient transactions. Accordingly, the transaction data need not bephysically linked within the computer storage medium, and indeed, forvarious reasons, transaction data relating to a specific patient may beintentionally split. Rather, each transaction is indexed by patientidentifier, which has historically been a social security number. Whilethis number was not originally intended for this purpose, medicalinstitutions and third party payors have universally used theseidentifiers in the past, and therefore legacy data almost universallyincludes social security numbers. Thus, even if a trend were establishedto eliminate its use, social security number identifiers would remainwithin the database. A surrogate identifier may be employed, for exampleto deal with redundant Social Security Numbers (SSNs), persons withoutan SSN, or those who refuse to allow use of an SSN.

Each transaction within the database may be a small record, for examplea result of a simple blood test, or a large record, such as radiologicaldata. A transaction may also include aggregations of data, such asrecords from an entire hospital admission. Each transaction ispreferably associated with a descriptive header, providing metadataregarding the record content, as well as rules for access. The accessrules may be stored outside the record itself, and thus provide only avery general level of information outside the record itself, whileensuring that only those aspects of the record are retrieved which arenecessary for the context of use.

According to an aspect of the present invention, the medical record neednot be consolidated into a single file. Thus, many separate transactionsmay be stored separately, and indeed in separate portions of adistributed database. A central index is maintained which records, foreach patient, the location of the transactions and access rulestherefor. For retrieval, only those records that are contextuallyrelevant are recalled. Of course, these may be consolidated.

In order to further maintain privacy, the record content itself may beencrypted. Thus, since the access rules are externally coded, thecontent of the record may be shielded. Various security schemes may beemployed for selective access to the record once delivered. For example,each medical professional may be provided with a public key/private keypair. The record may be delivered encrypted with the public key, in aform such that the private key is necessary in order to decrypt theinformation, while also authenticating the content.

The preparation of this record may be performed in a trustedenvironment, separate from the database retrieval system itself. Thus,in the main database, patient records may be stored using a publickey-private key design (PKI—“public key infrastructure”) encrypted withthe patient's private key by the original source of the information.Upon retrieval, patient authorization is verified by obtaining thepatient's public key.

Thus, the message may be multiply encrypted, using, for example, bothpatient and provider keys, or a combination thereof, requiring a properidentification of both the provider and the patient.

The patient keys may be assigned periodically, for example for ahospital stay, or uniquely or each patient.

In general, aspects of this security scheme are weak with respect to“insiders”, since key security is likely to be poor. For example, aphysical token may be borrowed or stolen. While biometric authenticationmay reduce these risks, they are not eliminated entirely. For example,in many instances, requests for records are made by clerical oradministrative personnel on behalf of a medical practitioner. Thus, theintended recipient is different than the requestor. It is not alwayspractical to require a set of on-line transactions for use of themedical record, and thus security may be breached by allowing atransmissible decrypted information object to exist. However, to thegeneral public, this type of security is strong. In order to provideinternal security, access logs and audit trails are maintained. Theselogs and trails are effective deterrents to record misuse, even thoughthey typically do not detect misuse in real time. Medical professionals'license and reputation are tied to appropriate and ethical use of theinformation, and therefore potential for discovery of a breach byretrospective review of the logs and trails would serve as a deterrent.Further, challenge-response security methods may be employed, and/orrolling code methods, in order to further verify the recipient.

In the event that a patient's private key is discovered or released, thesecurity of the database for that patient may be compromised. On theother hand, during record access, the encryption may be efficientlychanged. Thus, the keys may be changed after each access, providing arolling code-type security scheme, i.e., one in which the code changesduring use, in a manner which is outwardly unpredictable, but in amanner known to both counterparties to the communication. The issueshere are that (a) the security breach may be undiscovered and (b) thearchive database contents are difficult to alter. These may be addressedby periodically changing the encryption during regular databasemaintenance. The record decryption and re-encryption may be handled by atrusted certification authority, which possesses the encryption keypairs in any case. The PKI registrar must also maintain a securedatabase, since the encryption keys must be stored in case of emergency.

Therefore, the database of medical records may be maintained in anencrypted state, vastly reducing the security risks in maintaining thedatabase. On the other hand, the index, which is presumably much smallerand more easily maintained, requires more security. However, since theindex and associated records are separate, a security breach of theindex alone only yields only the patient identifier, and access rules,and possibly other indexed information, but not the record contentitself. Therefore, ancillary security measures may be employed tomaintain security of the database records.

A database operator may serve as a trustee for the medical records orassociated access restrictions therefore (e.g., custodial possession ofor control over cryptographic keys), on behalf of the patient,implementing a set of access rules defined, for example, by the patient,legal system, or medical system policies.

This medical information trust is a significant advance, since it allowsthe patient to exert control over the release of medical records, andpotentially allows a more optimal allocation of costs for medicalrecords creation, maintenance, use and transmission. Typically, thirdparty payors and insurers have accepted the cost of medical recordkeeping as an inherent part of the cost of medical care. By providing anopportunity to segregate this cost, and indeed externalize the processfrom the medical institution, greater efficiencies and more optimalallocation of costs may be achieved.

Indeed, the medical institution is an intended “client” of the medicalinformation trust, since by consolidating a plurality of institutions,uniformity, interoperability, cost reductions, and improved securityresult. Further, with the present changes in regulations encompassingmedical records, internal compliance by medical institutions, providersand all parties accessing the medical record, with the regulations willalso be required.

One system architecture according to the present invention thereforeenvisions three separate portions: (a) the database(s), containingindividually encrypted records; (b) an index, relating patientidentifier with database records, as well as access rules; and (c) acertification authority, holding encryption data. The certificationauthority serves a practical purpose, but implementation of such anauthority may be avoided if passwords and encryption keys are reliablyand securely held only by authorized users. However, since emergencysituations arise in practice, which may require decryption key accesswithout personal express authorization from the patient, thecertification authority is an important component of the system. Thecertification authority also issues the keys, enforcing certain rulesfor key selection.

Since the database holds encrypted records, physical security of thedatabase provides a supplemental or additional layer of protection.Thus, for example, personnel maintaining the database would not beexposed to patient confidential records.

On the other hand, the index contains critical information that carrieslow value unless abused. This abuse, in turn, could be detected by audittrails and other access controls, to both the index, and databaseitself.

Typically, the security of the database need only be such that it is notthe weakest link in the chain; for example, medical records areavailable for abuse at the point of creation, after transmission to anauthorized party, and at clearinghouses.

During an acute illness, the medical record for a patient will beactive, and not immediately added to the archival database. Because ofthe massive database undertaking, in general the archival databasesystem may be architected to include records that are both final, andrelatively inactive. Thus, once a record is written to this archivaldatabase, it would not be modified, and the data access demands shouldbe relatively small, allowing a high ratio storage capacity to bandwidthcapacity database system to be employed. Alternately, the active andarchive databases may be consolidated, providing a single access systemfor the medical information. Thus, active patient records may be storedseparately. The present system therefore proposes, in one embodiment, alarge archive of “inactive” medical records and a set of active records.

During an acute illness or hospitalization, medical records stored inthe custodian's database may be constantly subject to update andmodification by the medical institution. Therefore, the treatinginstitution or custodian will maintain the most accurate records. Thepresent invention therefore preferably accesses such records through thecustodian's database on a private network, rather than seeking tomaintain an accurate and synchronized copy of the records elsewhere. Thetrustee system may therefore maintain a log of access and a list ofwhere to search for updated records. Further, external access of theactive patient record from outside the custodian's private network willbe rare.

Thus, the present invention proposes, in one embodiment, that activemedical records be accessed directly from the treating medicalinstitution. Rather than seeking to maintain an updated index and accessrules for the active medical record, a relatively simple pointer may bemaintained in the index identifying the active medical record andinvoking a separate access system. In some instances, this separateaccess system will be completely controlled by the treating medicalinstitution, while in others, an “Internet” (public internetworkedaccess interface) may be implemented using a standardized protocol.

In the case of active medical records, typically the custodian'sinternal database is not encrypted. Thus, internal access to the recordsdoes not require a decryption key. One method for bridging the activeand inactive systems is to transform the active medical record at theinstitutional firewall (secure interface between internal and publicnetworks) into an archive format, compatible with the trustee's databasesystem. Thus, in this case, access rules are computed, the rulesprocessed, and the record encrypted according to the archive format.Therefore, a relatively transparent process may be implemented, whereina record requester is not aware that a record is derived from an activeor archive setting. Therefore, various rules and transitional rules maybe flexibly implemented for defining active and archive records.

In some instances, there may be redundancy or inconsistency between theactive and archive medical records. For example, a record may betransferred to an archive, and subsequently the patient has anotherencounter in the same matter. In this case, the archive record will beincomplete. Likewise, through a quality control process or otherwise, amedical record may be corrected, supplemented or altered. While an audittrail will generally be maintained to verify that any changes areauthorized, records are generally taken at face value without referenceto the audit database. In order to provide an updated archive, a numberof techniques are available. First, if the change is an addition, a newtransaction record may be added to the archive, with a correspondingentry made in the index. This is the normal method for adding data tothe archive. Second, the archive record may be modified. Typically, thearchive will be stored on non-rewritable media, or if rewritable, spacewill be allocated at the time of original record creation. Preferably, asmall amount of free space will be allocated and preserved with eachtransactional record, for example, a remaining space in a storage“block”, or additional blocks for large records. This space may be usedto store a patch table or an addendum itself. Finally, a record of suchchanges or additions may be made at the index level or in a masterpatient record file.

The present invention also encompasses a medical information trust orvirtual information trust. Therefore, according to this aspect of theinvention, rather than merely being caretaker of an encrypted archive,the system according to the present invention may hold the medicalinformation in trust on behalf of the patient, and thus is subject torules defined by the patient for access to the medical record, includingthe possibility of full access, partial access, or no access.

Therefore, an embodiment of the invention provides a trustee databasethat includes decrypted or plaintext records. According to this aspectof the invention, a distinct security paradigm is necessary. This maybe, for example, the secure mediator paradigm of Gio Wiederhold et al.,or another system that provides secure and authenticated access to therecords.

In the case of medical information trusts, the possibility for dataanalysis of patient records is possible, for example to performstatistical analysis, academic research, and indeed to provideinformation and recommendations to the patient. The system according tothe present invention may provide a large and diverse set of availablemedical record content. Thus, by obtaining a large number of records foranalysis, very sensitive and specific studies may be performed todetermine risk factors for disease, propose tests for possible latentconditions, or otherwise provide data for the patient.

Further, the trustee system may proactively maintain current informationabout the patient independent of a medical practitioner. For example,medical histories and questionnaires may be periodically updated so thatthe medical record is current, including medications, conditions,complaints, impairments, etc. Thus, a health care professional mayaccess the record (on authorization) to obtain this information forefficient treatment. Further, the system may cooperate with a treatingmedical physician, in order to gather and maintain specific informationfor use by that physician, again making patient encounters moreefficient.

Critically, insurance forms, authorizations, and the like, may be filledout remotely, for example using a secure socket layer (SSL) connectionon the Internet or on an intranet, prior to a scheduled visit, reducingwaiting time.

By supplementing the patient medical information archive with a summarymedical record extract (in trust), powerful advantages accrue. Forexample, patient health information becomes increasingly portable, andthus the efficiency of medical services may increase. Emergency servicesare also facilitated.

It is noted that a summary medical record extract file may itselfinclude role-based or context-based access restrictions, both to theentire record and to portions thereof. Context based access may, forexample, allow immediate release of important information in emergencysituations. Such context-based access may also be used to programmedical devices and facilities based on patient parameters. The medicalrecords may also be specified as accessible for a particular individual,group, entity, or device.

Since the summary medical record extract file is separate from themedical record itself, and presented in a strictly defined format, it isreadily made anonymous. Therefore, for academic study, a set ofanonymous master patient record files are enabled. Special rules maythen be implemented for subsequent access to the transactional records,where necessary, to complete a study. For example, a patient may executea consent form for inclusion in a study, with defined records accessrules. In case of an absence of specific consent, it may still bepossible to obtain necessary information in an anonymous fashion. Thus,an anonymous summary medical record extract includes incidents, some ofwhich may be relevant for a study. The researcher then requests furtherinformation about the incident for the anonymous patient. The request isthen translated by the index server to identify the desiredtransactional record. Using access rules, the authority for access ofthe record is verified. Typically, such access would be denied if thedesired transactional record is particularly sensitive or cannot be madeanonymous, for example, including a scanned page with the patient's nameor identification embedded in a non-redactable form. Manual redactionmay also be used, but would be more costly. An automated scrubbingprogram may also be implemented to remove personally identifiableinformation from the medical records.

The security of even anonymous summary medical record extracts is oftencritical, because the facts presented therein often are specific enoughto identify a particular individual, thus allowing a bridge betweenlimited patient-identifying data and an entire anonymous record.

In order to provide further security for the records and the use of thesystem, various techniques are available.

For example, dummy patients may be added to the database and index. Anyaccess of these records is presumably based on (a) academic research ofanonymous data, which is then filtered to eliminate the dummy data, or(b) unauthorized access. Thus, the existence of these records, withaccess tracking, allows detection of unauthorized user of the system byacademic or medical users.

The role-based access rules are generally defined automatically based oncontextual and circumstantial data. Manual rules and edits may also besupported. Typically, a hierarchy is defined of data sensitivity, withthe most sensitive data provided with the highest level of restrictions.Typically, primary care providers have the highest level of access,while paraprofessionals have data on a context-dependent requirementsbasis only. Further, non-professionals may be provided with data on aneed-to-know basis only. For example, transport personnel might need toknow if a patient has violent tendencies, contagious disease, or anacute condition.

Other medical personnel have access to the record based on context androle. For example, a respiratory therapist might require access topulmonary and central vascular history records, as well as abstracts ofacute medical information, current pharmaceutical information,scheduling (e.g., for inpatient care), and specific notes directed tothe therapist, individually or in a treatment group.

Thus, a past history of depression (resolved) in a patient admitted fora kidney stone may be communicated only to the primary care physicianand psychiatric treating professional, if any. Possibly, this data wouldbe communicated to a pain management professional, if the past historyof depression had a pharmacological or drug abuse component. This datais otherwise deemed contextually irrelevant to the acute treatment.

The present invention seeks to provide an enhanced level ofinteroperability and portability of electronic medical records (EMR)between various health care professionals, researchers, and third partypayors, without compromising confidentiality. Further, the system andmethod according to the present invention present a new business modelfor the creation, maintenance, transmission, and use of medical records,allowing financial burdens to be reallocated, for example more optimallyor equitably, to decrease overall societal cost, or simply to provide asuccessful business model for a database proprietor.

In order to increase interoperability between disparate database and EMRformats, the present invention provides a common file-tagging format,for example extensible markup language (XML) to encode records. Thus,the file formats need not be fully translated, but rather data elementstagged in a standardized format. A recipient may then implement a filetranslation, if necessary. Alternately, the recipient may use the filein its native format, for example by printing the file in paper form, orviewing on a computer monitor. The record reader application softwaremay impose hardcopy output and electronic copying restrictions, and, forexample, impose time-out limits to prevent unusually extended viewingsessions.

In order to increase portability, the physical records, especiallyarchives, may be stored outside a medical institutional infrastructure.Thus, limitations of access and bandwidth imposed by a public networkgateway for a medical institution do not impede information transfer.Authorizations, as distinct from the medical information sought, areverified on-line, and may involve access to a medical institution, buttypically command substantially lower bandwidth requirements.

According to a preferred embodiment, the EMR system is capable ofreceiving and transmitting information between a large number of sitessimultaneously, and typically provides a distributed architecture forscalability and peak load handling capability.

It is noted that, while the present invention is capable of handlingradiological data, the medical records handling systems are notnecessarily optimized for storage and transmission of massive image datafiles. Therefore, according to another aspect of the invention, aseparate subsystem is provided for such image files. Advantageously, animage file database system is configured to operate as an off-sitebackup for computerized radiology practices, and thus gains significanteconomies by performing dual functions. In many instances, courier orpostal transmission of physical recording media is preferred toelectronic transmission, especially where the recipient does not havehigh bandwidth communications capability. Thus, as an additional aspectof the invention, a capability for rapid production of individualmedical transaction records or entire records stored oncomputer-readable recording media is provided. For example, RecordableCD ROM (CDR), DVD-RAM or DVD-RW disks may be employed.

For example, if an entire record is stored to a portable computerreadable storage medium, it may include various access restrictions,encryption, password, audit trail and accounting properties, and thusmay serve as an extension of an on-line system.

According to the present invention, an index is maintained whichincludes relatively sparse information defining the identifier of thepatient, access rules, and the location of the record file. In fact,this system does not prevent direct access by an intended and authorizedrecipient to a database system maintained by the source medicalinstitution. While such access cannot be guaranteed, and indeed theconditions and quality of such access will vary between medicalinstitutions, this allows medical institutions to establish their ownpolicies and procedures for access to medical records under theircontrol.

Likewise, according to the present invention, a patient may, within thescope of available resources, define rules and procedures for access tomedical records. Thus, the rules defined by a patient or record ownermay differ from those imposed by the custodian medical institution. Adefault set of rules restricts access to medical professionals who candemonstrate authorization, with disclosure of particular transactionalrecords limited according to a set of rules defined by the role of therequestor. As trustee for the patient, the proprietor of the databasesystem may also implement more or less restrictive rules as defined bythe patient, and release records accordingly. The trustee may also,within the scope of law and regulation, implement a set of rules definedby the respective individual or custodian medical institution inconnection with that institution's processing of its custodial medicalrecords.

In addition, in the case of a research study, patients may becompensated for access and/or use of the records in the manner of a paidresearch subject.

According to the present invention, the originating (custodial) medicalinstitution creates the original record. The original input process istypically considered integral to the provision of medical care, and isnot compensated separately. Often, a clearinghouse then processesmedical records, which is typically an external firm. The result may bea complete coded version of the paper record generated by theinstitution, or merely a set of coded entries for the various billableprocedures and aspects, or somewhere in between. In this process, thepaper record may be scanned and optically character recognized. Theclearinghouse typically imposes a significant internal or externalexpense, since high quality is critical. Since this is not a directelement of patient care, it is not a reimbursable expense, and istreated as institutional overhead.

One significant purpose for coding these records (beyond tallyingtreatment costs for billing) after a hospital visit is due to the valueof the archive information. Appropriately, these costs may be imposed onthe subsequent users of the information, and indeed may serve as arevenue center for the institution or provider.

By externalizing administration of an archive database, the medicalinstitution has reduced costs for implementing and maintaininginfrastructure, and further due to the efficient distribution of recordsfrom a consolidated database, it is likely that an increased number ofrecords will be obtained. Therefore, the trustee, as proprietor of thecentralized database, may collect fees for the medical institutions.These fees, in turn, incentivize the institutions to cooperate with thetrustee. Usage fees are based on authorization, authentication, indexaccess, and database access and usage. Links provided by the index, forexample directly to internal institutional databases, may also beaccounted. The purpose of these numerous fees is primarily to optimallydistribute costs, rather than increase costs. Thus, the system accordingto the present invention is permissive of an outsourcing model for thecustodian medical institution. Indeed, this allows externalization ofthe archive, relieving the medical institution of the responsibility for(overhead includes personnel, space and equipment) maintaining a medicalrecord archive. Assuming a license for use of the records, fees may alsobe charged for the right to copy the record.

It is noted that, even if a medical professional is authorized to viewthe entire record, he may not wish to do so. Therefore, as anintermediate process to delivering and decrypting an entire record, theuser may be provided with an index of certain records, for selectionthereof. Preferably, a dense index and/or summary of the records areavailable in electronic format as well. Delivery and use of this summaryis, or course, an accountable item. The summary record is typicallystored in the database as an encrypted file, subject to the variousaccess, audit and accounting rules provided by the present invention.

When a requestor receives a file, he must enter his own decryption keyas well as the patient's decryption key. The patient's decryption key isobtained from the patient, or from a certification authority thatverifies the circumstances of access and the requirements therefore.However, the decryption need not be direct, i.e., it is not necessary touse the keys in a locally executing algorithm, to release the recordcontents. Rather, an on-line process is preferably implemented, in whichthe authentication (decryption) codes are entered, and accounting andaudit information processed, in order to release the file contents.Thus, the present system potentially provides a third level ofencryption, to support its own access restrictions, which, for example,may be driven by a need to account for access. This encryption may beapplied, for example, as the record is being prepared for transmissionfrom the database.

The on-line process also serves to protect patient privacy, since anaudit entry may be maintained for each usage, rather than only for thetransmission usage.

Thus, a plurality of components, individually or in combination orsubcombination, may be applied to support operation of the system.

A recent U.S. law, The Health Insurance Portability and AccountabilityAct of 1996 (HIPAA), is intended to improve the Medicare and Medicaidprograms and other Federal health programs and private health programs,and the effectiveness and efficiency of the health care industry ingeneral, by simplifying the administration of the system and enablingthe efficient electronic transmission of certain health information.This Act is to be implemented by regulations promulgated under authorityof the Secretary of Health and Human Services. See, e.g., 45 CFR Parts142, 160-164 (final and proposed rules), incorporated herein byreference. The system and method according to the present inventionpreferably complies with and implements the statute and proposed rules,to the extent that the system is encompassed thereby.

One aspect of the efficient administration of health systems is the useof standardized health care provider identifiers, for example thenational provider identifier (NPI), an 8-position alphanumericidentifier. Another aspect provides standardized format for thetransmission of medical record data. The present invention may implementunique individual health care identifiers or an arbitrary unique code.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 illustrates a block diagram of the overall network architecture;

FIG. 2 illustrates a representation of a virtual information trust;

FIG. 3 illustrates a representation of a linked medical informationrecords; and

FIG. 4 is a flow chart showing a procedure for processing requests formedical record access.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Example 1

The system according to the present invention provides a conduit for theauthorized transmission of records, which may be medical records, orother content, while maintaining the security of the records againstunauthorized access or use. A preferred communications network is theInternet 1, a global interconnected set of public access networks,employing standardized protocols. Thus, the records may be transmittedvirtually anywhere on earth using a single infrastructure. Alternately,private networks or virtual private networks (VPN) may be employed. Infact, as the system according to the present invention gains acceptance,a private network model (a “Medical Internet” or “Media Internet”) isprovided, in order to increase security and allow the system to be tunedto the types of data and quality of service demands made by users. A VPNemploys encryption to shield communications between two cooperativesources from external observation.

Where the data is transmitted on a public network or outside of aninstitution, it is preferably encrypted using multi-layer public keyencryption as well as SSL transport protocol, which is typicallyimplemented by web servers 3, 21 and web browsers in workstations 12.Internet security measures typically provide a firewall 2, 10, 20, 30between any internal network resources and the Internet.

In order to provide emergency access to system database contents, and toallow testing of system security and operation, a certificationauthority 31 generates and hold encryption keys in a secure database 32,which are released only under strictly defined circumstances.

The present invention provides a database 6 storing records, which maybe encrypted or unencrypted. For example, the records may be patientrecords, encrypted with a cryptographic key associated with therespective patient. The records may be received in encrypted form from asource, such as the custodian institution host 22, from custodiandatabase 23. The custodian host 22 retrieves the patient medical recordfrom the database, encrypts it, and transmits it through the internalnetwork 24 to web server 21, through firewall 20, to the Internet. Theencrypted file is received through the firewall 2 by web server 3, andstored, in conjunction with index server 5 in the entrusted medicalinformation database 6. A set of access rules is associated with eachrecord or discrete portion thereof, medical transaction record, alongwith the patient identifier and location of the encrypted medicaltransaction record, in the index server 5. The access rules may be adefault set of rules, for example based on a recipient role, context ofrequest, and/or rules defined by the patient or custodian institution.As is noted above, a trustee may act on behalf of the patient toauthorize access and use, and to implement financial transactions, withrespect to the records.

During each access to the custodian database 23, an entry is made withthe audit log server 25 in the custodian system. Likewise, during eachaccess of the index server 5 and/or entrusted medical informationdatabase 6, an entry is made with the audit log server 7 in the trusteesystem. A further aspect of the present invention provides a financialaccounting server 8, allocating an expense for use of the trustee systemresources.

A user of the trustee system typically seeks medical records belongingto a patient, although certain other uses of the system are permitted,in accordance with strictly enforced access, audit and accounting rules.The user, an intended recipient, access the system through aworkstation, connected to the Internet 1 through internal network 11 andfirewall 10. The user may be authenticated using, for example, ausername and password, or authenticated using a security card in cardreader 13, as well as a biometric identification, such as a facialimage, captured by video camera 14. The user's credentials may beauthenticated using profiles stored in the trustee system, thecertification authority 31, or at the recipient host system 16, indatabase 17. The user's request, interactions with the trustee system,and access to medical records may all be logged in audit log server 18.In some cases, the user may, after receiving information, reproduce iton a computer system, such as an audiovisual display, produce hardcopyin printer 15, or otherwise generate output using the content. In othercases, hardcopy output may be restricted.

As represented in FIG. 2, the trustee is organized as a virtual trustee60, holding digital information 63 in trust for the grantor 61. Thetrustee is responsible for authenticating recipient 62, as well asapplying access rules 65, which may be role based, context based, and/orspecifically defined by the patient, virtual trustee or custodianinstitution.

For purposes of FIG. 3, the information content is considereduser-private data. The access process begins 100 by the user accessingthe trustee system. The user must be authenticated 101. The userpresents a medical record query 102. In some cases, a user is notpermitted to access patient-identifiable records 103. For example, anacademic researcher may conduct a study of patient summary records. Inthis case, only anonymous summary record information 115 is accessible.The use of this data is audited and accounted 116.

According to an advertiser subsidy model, context-sensitive ads may bepresented to users, who are generally medical professionals, whilereviewing the records. Since these are context sensitive, they may beviewed as educational and relevant, and thus not disruptive. However,such context and context-sensitive information may also be consideredprivate information. Thus, while the system accounts to the advertiserfor the presentation of the ad, the identity and particular context ofthe patient, as well as the user, may be shielded from the advertiser.The context may be extracted in client software, which has access todecrypted patient records.

If patient identifiable information is available to the user, thepatient medical information trust index is accessed 104. From the index,the access rights for the particular user are determined 105, and anidentification returned to the user identifying available records withinthe access rights of the user 106. The recipient, after authenticationof identity and role, is thus presented with a list of medical recordsavailable and/or existing 106.

For sensitive records, even the existence may be shielded, while forless sensitive records, the content is shielded while the existence isnot. Examples of particularly sensitive information may includepolitical, religious, sexual, and financial information. Therefore, insome instances, the user may be informed of the existence of a recordwithout having access to the record. In other instances, even theexistence of the record is shielded from the user.

If the recipient is authorized to both be informed of the existence ofthe record and to receive the record 107, the user is given the optionto select desired records 108. The recipient then selects which recordsto receive, in an interactive process over the secure communicationschannel. The records are then “wrapped” with the controlled accessapplet, and encrypted with the recipient's public key and transmittedover the secure communications channel.

If a summary record is selected 109, it is retrieved 110, andspecifically associated with the identified patient. Advantageously,electronically coded summary records may be intrinsically anonymous, andthus are identified only by association with the respective patientthrough an index. Thus, the same summary record, albeit without thepatient personally identifying information, may be used for anonymoussummary information searches 115. The use of the summary record may alsotrigger an accounting/audit transaction 112.

If the selected record is a patient transaction record 113, then therecord is generally not anonymous, and only available to authorizedusers. The use of any patient record also triggers an accounting/audittransaction 114.

An index record is provided in the index server 5 for each database 6entry, providing an identification of the patient, a locator for theassociated record, and a set of access rules for the record, which mayprovide minimal information describing the record contents, such as themedical service, procedure, dates, or type of record. Typically, theindex does not include a summary of the record or outcome.

As represented in FIG. 3, a medical record is formed as a set ofprivileged transaction records 51, 53, 55, 57, each having its ownrespective access rule(s) 52, 54, 56, 58. The content records relatingto a single patient may be physically or logically associated with eachother, as represented by the lines between the privileged contentrecords 51, 53, 55, 57. The content is considered privileged in thataccess is restricted by understanding, contract or law.

These medical records thus are advantageously formed as a “MedicalInformation Polymer”, each element having its own access rules 52, 54,56, 58. Therefore, the index may include multipleindependently-accessible record elements or a contiguous set of records51, 53, 55, 57. Likewise, disparate and discontiguous records may beconnected through the index, even if derived from different institutionsor caregivers.

Since the access restrictions are defined at an atomic level of amedical information polymer, these may be applied both at the trusteeserver system, to limit access based on predefined rules, or at therecipient level, to limit access to desired records which are availablebased on the recipient authorization.

For example, a record is stored in a medical records database encryptedwith a respective patient-associated public key. Upon transmission, therecord is further encrypted with a transactional encryption algorithm(e.g., a session key), and further encrypted with the intendedrecipient's public key. The triple-encrypted message is then transmittedover a secure connection, e.g., SSL, or a VPN. In order to employ themedical record, the recipient first applies his private key, which maybe stored in a physical token, such as a smart card, fob, or key. Therecipient then engages in an on-line authentication/accountingtransaction, to decrypt the transactional-level encoding. This activityis logged in an audit database 7, and the activities accounted in anaccounting database 8. An applet “wrapper” associated with the record,in conjunction with the supplied patient-associated private key, allowsdecryption of the record itself, triggering potentially an additionalaccounting and/or audit transaction. Potentially (depending on thespecific rules), each use of the encrypted record may require a separateon-line transaction accounting session.

Each use of the record may also trigger an accounting/audit event 112,114, 116, thus allowing finely granular audit records of medical recordaccess, and reduces the risks of security and privacy breach afterrecord transmission. Importantly, this allows usage based financialaccounting for the records, imposing a financial burden based accordingto value. Therefore, the revenues for maintenance of the system may bebased on a number of factors, automatically calculated, which impose lowcosts for minimal usage of the records and larger costs on substantialuse of the records.

When a recipient seeks a record, he must identify himself, in some caseshis role in the authorized use of data or patient care, and the identityof the patient and/or record. The identification of the recipient isthen authenticated 101, for example using a digital signature orchallenge-response authentication scheme, in which messages are passedback and forth between the recipient and server. The recipient's role ischecked for consistency with the recipient's identity, but may change indifferent contexts.

It is understood that the operation of the system generally does notdepend on the content of the data. Therefore, instead of medical recorddata, the data could be media content data. In this case, an importantissue concerns the privacy of the user, or recipient of the data. Thus,instead of shielding the subject of the data from unauthorizeddisclosure of the data, the system seeks to protect the content and theprivacy of the user, while assuring that the owner of the content iscompensated, and the content is not released without restrictions onuse.

Example 2

John D. Halamka, Peter Szolovits, David Rind, and Charles Safran, “A WWWImplementation of National Recommendations for Protecting ElectronicHealth Information”, J. Am. Med. Inform. Assoc. 1997 4: 458-464,expressly incorporated herein by reference, provide a prototype medicalinformation database system (W3EMRS), called CareWeb, implemented at theBeth Israel Hospital (Boston Mass.), stored in a comprehensive,custom-built MUMPS-based system composed of 28,000 programs. Theclinical data at the Deaconess Hospital is stored in a Sybase clinicaldata repository. CareWeb unites these systems using an implementation ofthe W3EMRS architecture.

The present invention differs somewhat from the CareWeb implementation,but is largely compatible. Thus, for example, the CareWeb system mightimplement an institutional active record database while the systemaccording to the present invention also implements an independentmulti-institutional archive database.

Individual Authentication of Users

To properly authenticate individuals on any computer system containinghealth care data, every individual should have a unique secureidentifier for access. Such a policy allows individuals to be heldaccountable for all actions taken while logged on. Thus, where aclerical worker seeks to retrieve a file for a professional, that workershould have and use accurate personal identification. Using role-basedaccess rules, preferably verified on-line, the authority of therequestor may be verified. Therefore, in order to transfer authorityfrom a professional, e.g., an attending physician, to a clerical worker,the physician would delegate authority to the clerical employee usinghis own credentials, for example in a local institutional database.Thereafter, the trustee system according to the present invention,seeking to verify the access rules, would access the recipient (clericalemployee) record at the local recipient institution, which would furtherprovide the physician's credentials and inferred role based-accessprofile. After authentication, the clerical employee is granted accessto the index record to select desired medical records. The encryptedrecord is forwarded to the clerical employee as recipient. However,decryption of the record requires the physician key. In like manner, thephysician can, in accordance with policies of the local institution,provide authorization to the clerical employee to decrypt and processthe record. However, the custodian medical institution or patient mayset an enhanced security rule that requires that the authorizedphysician decrypt the record (or transaction contained in the record)personally.

Access Controls

Many health care computing systems allow all users to view allinformation. There is, however, no good reason for a laboratorytechnician to read the confidential full text data contained in apatient psychiatric profile. Health care providers should be allowed toview clinical information on a need-to-know basis. The most obviousimplementation of such controls would be to assign access to differenthealth care computing functions based on job role. The present inventionprovides a system and method for transmitting all or a portion of thepatient medical record in a secure “wrapper”. This facilitatesmaintenance of privacy at the recipient institution, since the encryptedrecord may be maintained on the recipient private network and databasewith greatly reduced security and privacy risks. Preferably, therecipient computer record-keeping system fully supports the privacyfeatures of the record, and therefore provides transparent support forthe security and authentication features therein. For example, thesecure wrapper may include a JAVA applet to authenticate the user andperform transactional communications and decryption. Therefore, therecipient institutional system need only provide a JAVA Virtual Machine(JVM), sufficient security permissions for operation, and sufficientcommunications permissions to conduct the on-line elements of theauthentication, accounting and audit functions.

In one form of access control, different system functions are availablebased on job role. A more sophisticated implementation would tailorcontent within functions by job role. For example, a discharge summarycould be viewed by both a physician and a billing coder, but details ofthe patient's psychiatric evaluation would not appear for the coder.Further, the coder typically would not have access to patient recordstransmitted from another institution, or to records from a pastadmission.

The authenticity of each user may be verified with a hardware token,such as the RSA SecurID hardware token. These tokens are small, handhelddevices containing microprocessors that calculate and displayunpredictable codes. These codes change at a specified interval,typically 60 seconds. For example, each user accessing CareWeb begins asession by entering a username, a memorized personal identificationnumber (PIN), and the currently displayed password from the SecurIDdevice. This information is transmitted to a security server, whichauthenticates the user and verifies that the correct password wasentered. The security server compares the user-entered password with itsknowledge of what password should have been entered for that 60 secondperiod. If the password does not match, it also checks the password fromthe previous 60 second period to account for delays in typing andtransmission. Once a password is verified, the user is authenticated forthe duration of the session, or possibly with a maximum timeout limit,such as 15 minutes, whichever is shorter.

In the CareWeb system, an encrypted security “cookie” is sent back tothe user's browser, and this cookie is automatically used for all futuresecurity dialogs. Using Visual Basic Script and Microsoft's ActiveServer Pages, the cookie is dynamically decrypted within the Web serverand invisibly re-verify authentication before responding to additionalrequests for health care data. This, of course, presents securityissues, since Visual Basic Script capabilities are a known securityweakness.

The present invention therefore employs secure public key decryption foreach record, at the client system, which may, of course, employ ahardware token similar to the SecurID device.

If the security token is lost or stolen, it can be immediatelydeactivated for the entire enterprise by disabling it at the securityserver.

Access Validation

In the CareWeb system, in addition to storing encrypted username andpassword information, the security cookie contains the job role of theuser. Again, this may pose security threats, for example if the securitycookie is borrowed from the client machine, and employed in a secondcommunication session within the time limit parameters. Displays ofhealth care information are generated dynamically by Active Server pagescripts, which are capable of assembling a multi-institutional medicalrecord. The scripts can tailor delivered health care information basedon the job role indicated by the cookie. This consolidation is avoidedin the present invention, as the record must be decrypted before use.However, as a part of, or subsequent to, the decryption process, thedecrypted information may be imported into a recipient database system,as long as the security permissions do not prohibit this.

Physical Security and Disaster Recovery

The system according to the present invention transmits encryptedrecords, and thus physical security concerns are lessened. Standardprecautions within the trustee system itself, such as positioning ofcomputer terminals where they cannot be accessed by unauthorized users,and denying unauthorized personnel access to paper printouts andelectronic storage are advisable. The trustee database is preferablyreplicated or distributed, both to provide fault tolerance andscalability. Backup tapes are therefore made frequently, and tapeshoused off site in the case of a physical disaster.

Protection of Remote Access Points

Since the system according to the present invention transmits encryptedrecords to authenticated individuals over a secure channel, thiseffectively amounts to firewall protection, i.e., protection againstaccess by the general public. In fact, a firewall system proper is alsopresent, in that the maintenance of the database is protected frompublic access, and the database proper is only accessible through theindex server. The index server is further only accessible after userauthentication. The firewall system thus provides strong, centralizedsecurity. All remote accesses are protected by single session orencrypted passwords, for example using challenge-response authenticationschemes, SSL, VPNs or the like.

All patient-identifiable data transmitted over public networks isencrypted. As discussed above, the present invention preferably providesmultiple levels of encryption of the patient data, with appropriatecontrols at each level.

An electronic signature may be used to “sign” submitted medical records,and a cryptographic digital signature should be used when retrievingrecords to ensure records are not modified during the transmissionprocess. Recipients may also provide a request for records with adigital signature. Where role-based access rules are executed remotelyfrom the trustee, these may be embedded in the record with a digitalsignature, such that if the rule set is tampered with, the recordbecomes essentially unusable.

Audit Trails

While external “hackers” pose a security threat to medical records, aperhaps more important threat comes from “insiders”, e.g., inappropriatehealth care data access from inside the organization. Such threatsinclude the possibility of individuals not involved in a patient's careto look up the records of VIPs, celebrities, relatives, friends, andfellow employees. By providing a finely granular audit trail, includinga log of all accesses to information, including time, date, informationaccessed, and user ID, a great disincentive will be created for medicalprofessionals to inappropriately access records. Audit trails should beavailable for patient review on demand. Therefore, the present inventionprovides that an audit log be retained within the trustee (central)system, which may also be recorded at the recipient system. Thecustodian medical institution may also retain an access log for itsrecords. The audit trail may be closely linked to an accountingdatabase, to provide a basis for charging a patient or recipient for useof the record or services rendered in providing the record.

The accounting payments may be so-called micropayments, discussed above,fully verified transactions, such as credit-card type transactions, orsimply “on account”. Preferably, a micropayment model is adopted, sincethis may result in reduced transactional costs and greater efficiency.It is noted that, in the context of the present invention, the risk ofdefault by any party is minimal, and thus a requisite presumption of amicropayment scheme is met.

Expanded Multi-Organizational Audit Trails

In any multi-institutional architecture there are multiple places tocapture the audit, for example, at the institutional level, where theinformation is stored (the sites), at an intermediary level, such as thetrustee, or at the point where the information is delivered. Accordingto the present invention, the audit trail is captured at both levels,and indeed may also be transmitted, as appropriate, to the custodianmedical institution or to the patient.

A multi-institutional auditing system facilitates patient's access tothe details of the movement of their medical information throughout thehealth care enterprise. The trustee systems therefore preferablyprovides a function for patient access to such logs, and indeed to therecord as a whole.

The CareWeb system employs RSA digital signatures to authenticate users.The present invention, however, may employ public key infrastructure tosecure the record content as well, for example to provide patientsecurity, recipient security, and session keys.

Thus, each request is signed with the recipient's private key. Therequest is sent to the server, which uses the associated public key tovalidate the digital signature through standard hashing andsignature-verification methods. The server retrieves the informationrequested and may sign the response with its private key. The serverthen generates a session key, which it uses to encrypt the response. Thesession key is retained at the server, and released only after anaccounting/audit transaction is completed. When the transactionlogging/accounting is completed, the session key is then encrypted,using the recipient's public key. Thus, the encrypted session key andencrypted data may be sent back to the recipient separately, with anoff-line or clerical transmission of the record file, which may bevoluminous, and a separate on-line transaction to obtain the sessionkey. The session key is decrypted using the recipient's private key. Theencrypted response is decrypted using the decrypted session key.Finally, the response is validated using the server's public key. Alldecrypted site server messages are consolidated into a single Web pageand returned to the original requesting browser over the Secure SocketsLayer.

Thus, the present invention allows for the desynchronization oftransmission of the encrypted file and the authorization and accountingtransactions for use of the encrypted information.

Digital signature cryptography methods may be used for all networktransmissions, seeking to ensure the integrity of all health datadelivered.

The recipient, after personal authentication and role authenticationgains access to the index data, which provides a listing of availablerecords or record identifiers. The information contained in the index ispreferably minimalistic, such as “physical therapy”, “dischargesummary”, “flowchart”, “radiology”, and possibly an associated date. Insome instances, the database record consists of an entirehospitalization record. These identifiers may be used both to identifythe record and to trigger access rules. The recipient then selectsrecords for download, as discussed above.

An accounting and audit transaction is triggered, by the index access,downloading, and subsequent on-line transaction for decryption.

Other embodiments will be apparent to those skilled in the art fromconsideration of the specification and practice of the inventiondisclosed herein. It is intended that the specification and examples beconsidered as exemplary only, with a true scope of the invention beingindicated by the following claims.

1. A method for controlling access to a medical record of a patienthosted by at least one medical record repository, comprising a pluralityof record portions, each record portion having associated differentpatient-controlled access control criteria, comprising: (a) receiving,by an intermediary, a request for a medical record from a requestor,said request comprising a medical record identifier, a requestoridentifier, requestor authentication information, and patient-providedaccess control authorization; (b) providing an automated processoradapted for automatically processing, by the intermediary, the requestfor the medical record to authenticate the requestor and determinesufficiency of the patient-provided access control authorization to meetthe patient-controlled access control criteria for each respectiverecord portion encompassed by the request; and (c) selectivelycommunicating, through an automated communication network, from theintermediary to the at least one medical record repository, anidentification of each record portion for which patient-controlledaccess control criteria are determined to be sufficient for access bythe requestor; and (d) generating an electronic payment authorizationassociated with the request, for compensation of at least one of theintermediary and the at least one medical record repository.
 2. Themethod according to claim 1, further comprising generating an electronicpayment authorization associated with the request, for compensation ofthe at least one medical record repository.
 3. The method according toclaim 1, further comprising the step of persistently storing at leasteach request for which patient-controlled access control criteria aredetermined to be sufficient for access by the requestor.
 4. The methodaccording to claim 1, further comprising the step of determining a roleof a requestor in a medical care of a patient, and determining asufficiency of the patient-provided access control authorization to meetthe patient-controlled access control criteria at least in dependence onthe determined role.
 5. The method according to claim 1, furthercomprising accounting by the intermediary, in a financial accountingdatabase, for the request.
 6. The method according to claim 1, whereinthe intermediary ensures that the requestor has entered into arestriction limiting retransmission of the medical record.
 7. A systemadapted to control access to a patient medical record hosted by at leastone medical record repository comprising a plurality of record portions,each record portion being associated with different patient-controlledaccess control criteria, said system comprising an automated processor,a database adapted to store information for authenticating requestors, adatabase adapted to store information for determining patient-controlledaccess control criteria for respective record portions of a patientmedical record, and a computer network interface, said processor beingcontrolled by instructions stored on a computer readable storage mediumto: (a) receive a request for a medical record from a requestor, saidrequest comprising a medical record identifier, a requestor identifier,requestor authentication information, and patient-provided accesscontrol authorization; (b) process the request for the medical record,to authenticate the requestor and determine sufficiency of thepatient-provided access control authorization to meet thepatient-controlled access control criteria for each respective recordportion encompassed by the request; (c) selectively communicate throughthe computer network interface to the at least one medical recordrepository, an identification of each record portion for which accesscontrol criteria are determined to be sufficient for access by therequestor; and (d) generating an electronic payment authorizationassociated with the request, for compensation of at least one of saidsystem and the at least one medical record repository.
 8. The systemaccording to claim 7, wherein said processor is further controlled byinstructions to generate an electronic payment authorization associatedwith the request, for compensation of the at least one medical recordrepository.
 9. The system according to claim 7, wherein said processoris further controlled by instructions to persistently store at leasteach request for which patient-controlled access control criteria aredetermined to be sufficient for access by the requestor.
 10. The systemaccording to claim 7, wherein said processor is further controlled byinstructions to determine a role of a requestor in a medical care of apatient, and determining a sufficiency of the patient-provided accesscontrol authorization to meet the patient-controlled access controlcriteria at least in dependence on the determined role.
 11. The systemaccording to claim 7, wherein said processor is further controlled byinstructions to account, in a financial accounting database, for therequest transaction.
 12. The system according to claim 7, wherein saidprocessor is further controlled by instructions to ensure that therequestor has entered into a restriction limiting retransmission of themedical record.
 13. A method for controlling access to a medical recordof a patient hosted by at least one medical record repository,comprising: (a) receiving, by an intermediary, a request for a medicalrecord comprising a plurality of record portions, each record portionhaving an associated different patient-controlled access controlcriteria, from a requestor, said request comprising a medical recordidentifier, a requestor identifier, and requestor authenticationinformation; (b) automatically processing, by an automated processorassociated with the intermediary, the request for the medical record toauthenticate the requestor; (c) receiving, by the intermediary, apatient-provided access control authorization associated with a requestfor a medical record from a requestor; (d) automatically processing, bythe automated processor associated with the intermediary, the requestfor the medical record, to further determine sufficiency of thepatient-provided access control authorization to meet thepatient-controlled access control criteria for each respective recordportion encompassed by the request; (e) selectively communicatingthrough an automated communication network, from the intermediary to theat least one medical record repository, an authenticated request foraccess to the medical record by the requestor and an identification ofeach record portion for which access control criteria are determined tobe sufficient for access by the requestor; and (f) generating anelectronic payment message associated with the request, relating tocompensation of at least one of the intermediary and a medical recordrepository.
 14. The method according to claim 13, further comprising thestep of persistently storing at least each request for whichpatient-controlled access control criteria are determined to besufficient for access by the requestor.
 15. The method according toclaim 13, further comprising the step of determining a role of arequestor in a medical care of a patient, and determining a sufficiencyof the patient-provided access control authorization to meet thepatient-controlled access control criteria at least in dependence on thedetermined role.
 16. The method according to claim 13, furthercomprising accounting by the intermediary, in a financial accountingdatabase, for the request.
 17. The method according to claim 13, whereinthe intermediary ensures that the requestor has entered into arestriction limiting retransmission of the medical record.
 18. Themethod according to claim 13, further comprising a context of a requestfor access to the medical record by the requestor, and determining asufficiency of the patient-provided access control authorization to meetthe patient-controlled access control criteria at least in dependence onthe determined context.
 19. The method according to claim 13, furthercomprising encrypting at least a portion of the medical record for whichthe request for access is authenticated for secure transmission over apublic communications network.